have  a  perimeter! 

PAGE  16 

M  **  ap  ’.I  as 

That’s  the  Ticket 

StubHUb  fights  fraud 

I  PAGE  26 


Savings  Bank:  “f  would 
have  paid  more  attention 
to  the  emotional  piece  of 
the  case  I  was  trying  to 


§  4  security  veterans 
find  new  perspectives 
r  on  executive 
III  communication 

PAGE  20 


■l:r'  :  ' 


www.csoonline.com  $9.00  June  2012 


1 1 

j 

wi 

,%  *  1 

Virtualize,  the  plug-and-play  way. 


Take  10  minutes  to  see  for  yourself. 

See  how  the  IBM  BladeCenter  Foundation  for  Cloud  makes  things 
easy  for  you.  Visit  ibm.com/systems/foundation 

IBM,  the  IBM  logo,  ibm.com  and  BladeCenter  are  trademarks  of  International  Business  Machines  Corp,  registered  in  many  jurisdictions  worldwide, 
Other  product  and  service  names  might  be  trademarks  of  IBM  or  other  companies.  A  current  list  of  IBM  trademarks  is  available  on  the  Web  at 
www.ibm.com/legal/copytrade.shtml.  Intel,  the  Intel  logo,  Xeon  and  Xeon  Inside  are  trademarks  of  Intel  Corporation  in  the  U.S.  and  other  countries. 
©  International  Business  Machines  Corporation  2011.  All  rights  reserved. 


Powerful. 

Intelligent. 

v  _ J 


With  numerous  hardware,  software  and  networking  options  to  choose  from, 
virtualization  can  be  a  really  complex  process.  The  new  IBM  BladeCenter® 
Foundation  for  Cloud  with  Intel®  Xeon®  processors  changes  all  that,  dramatically. 


It’s  a  workload-ready  platform  with  built-in  management,  so  it’s  quick  to  deploy 
and  easy  to  manage.  Also,  the  system  integrates  seamlessly  with  your  existing 
infrastructure.  So  you  can  get  started  at  once,  without  wasting  precious  resources. 

In  addition,  you  have  the  option  to  transition  to  the  cloud  on  your  terms,  not  on 
your  vendor’s.  For  improved  business  agility  and  reduced  IT  costs,  look  to  the 
IBM  BladeCenter  Foundation  for  Cloud. 


June  2012  Vol.  11,  No.  5 


Features... 

20  What  I  Learned 
When  l  Left  Security 

Cover  Story  |  Career  Four 
perspectives  on  executive 
communication  from  security 
experts  who  moved  on  to  other 
business  roles  ByMaryBrandel 

26  That’s  the  Ticket 

Fraud  Whenever  a  list  of  logon 
credentials  is  dumped  onto  the 
Web,  retailers  get  hit  with  waves 
of  automated  attacks.  Here’s  how 
ticket  marketplace  StubHub  fights 
thatthreat.  By  George  V.  Hulme 


Also  Inside... 


2  From  the  Editor 
4  From  the  Publisher 

6  Join  the  Discussion 

CSOonline  readers  debate 
the  right  time  to  spread  out 
your  risk;  business  continuity 
standards;  considering  data 
privacy  when  building  apps 

9  Briefing 

■  Cyberattacks  Threaten 
Natural  Gas  Pipelines 

■  I  Was  Wrong  About  the  TSA 

■  Red  Sky  Alliance: 

Playing  Team  Defense 

■  Do-It-Yourself  DDoS 
Tool  Still  Going  Strong 

■  Enterprises  Brace  for 
Attacks  from  Anonymous 

■  Apple  Accidentally  Exposes 
Clear-Text  Passwords  in 
Recent  Update  to  OSX  Lion 

■  Windows  8  Privacy 
Worry  Overblown,  Says 
Microsoft  Analyst 


■  Android  Malware 
Masks  Online  Fraud 

16  The  New  Perimeter 
Toolbox  CSOs  are  mixing  an 
assortment  of  technologies, 
approaches  and  policies  to 
shore  up  defenses  on  the 
changing  corporate  boundary 
By  Elisabeth  Horwitt 

30  Protecting  Data  in  a 
Hyperconnected  World 
Industry  View  Richard 
Power  talks  with  Christopher 
Burgess  on  theft  of  trade 
secrets,  the  rise  of  social 
media  and  the  failure 
of  weak  governance 

32  Debriefing 

5  Facts:  Fraud 


CSOflSSN  1540-904X)  is  published  monthly  except  fora  combined  issue  in  July/August  and  December/January  by  CXO  Media  Inc.,  492  Old  Connecticut  Path,  P.O.  Box  9208,  Framingham,  M  A  01701-9208.  Periodical  Postage  Rate  at 
Framingham,  MA01701,  and  at  additional  mailing  offices.  Canadian  Publications  Mail  agreement  number  1902075.  Canadian  Postmaster:  Please  return  undeliverablecopy  to  P.O.  Boxl632,  Windsor,  ON  N9A7C9. Copyright  2011  by 
CXO  Media  Inc.  All  rights  reserved.  Reproduction  of  material  appearinginCSOisforbiddenwithoutwrittenpermission.Permissiontophotocopyforinternalorpersonaluseortheinternalorpersonaluseofspecificclientsisgranted 
by  CSOfc  users  through  the  Copyright  Clearance  Center,  provided  that  a  fee  of  $3.50  per  copy  of  the  article  is  paid  directly  to  Copyright  Clearance  Center,  222  Rosewood  Drive,  Danvers.  MA  01970.  www.copyhght.com.  Please  specify: 
ISSN  1540-904X.  Permission  to  photocopy  does  not  extend  to  contributed  artides-followed  by  this  symbol:  $.  Address  inquiries  to  CSO,  P.O.  Box  3482,  Northbrook,  IL  60065;  866  354-1125.  CSO  is  free  to  qualified  security  executives. 
Toallothersthe  one-year  basic  rate  is$70forthe  United  Statesand  Canada,  $95  toforeign  countries  (payable  in  U.S.  funds  only).  Thesinglecopy  price  is  $9totheU.S.  and  Canada  and  $15  International.  Please  allow  fourtosix  weeks 
for  new  subscriptions  to  begin.  Change  of  Address:  Go  to  www.omeda.com/custsrv/cso  and  follow  the  online  instructions.  Postmaster:  Send  change  of  address  to:  CSO.  P.O.  Box  3482,  Northbrook,  IL  60065.  Printed  in  the  USA. 


Cover  photo  by  Jason  Smith 


June  2012  www.csoonline.com  1 


[  FROM  THE  EDITOR  ] 


Getting  Unstuck 

The  rate  of  change  these  days  is  so  high 
that  occasionally  I  think:  “I’m  just  looking 
for  a  nice  rut  to  fall  into.  Six  months  in  a 
rut  sounds  really  relaxing  right  now.” 

But  of  course,  this  isn’t  true.  A  routine  may 
be  good,  and  useful,  but  ruts  are  a  bad  way 
to  travel.  The  expression  “stuck  in  a  rut,”  of 
course,  refers  to  tracks  worn  in  the  ground  by 
wheels  that  have  traveled  that  way  before.  If 
your  wheels  are  stuck  in  a  rut,  you  may  be  able 
to  move-but  only  along  a  path  that  others 
have  carved  out  for  you. 

That’s  not  what  security  leadership  needs. 
Even  if  you’ve  got  a  clear  strategic  vision,  a 
two-  or  three-year  road  map,  a  great  idea  of 
where  you  need  to  go  and  how  to  get  there, 
you  still  need  agility.  You  need  the  ability  to 
respond  flexibly  to  unforeseen  events,  techni¬ 
cal  breakthroughs,  changing  business  condi¬ 
tions  and  so  on. 

Striving  to  communicate  effectively  with 
other  executives  remains  one  of  the  most 
vexing  ruts  that  CSOs  get  trapped  in.  Nearly  10 
years  ago,  we  launched  CSO  magazine  with  a 
cover  story  about  how  to  build  better  bridges 
within  your  business,  how  to  understand 
organizational  priorities,  how  to  construct 
better  relationships  and  how  to  speak  the 
same  language  as  CEOs  and  line-of-business 
executives. 

A  decade  later,  these  skills  remain  a  chal¬ 
lenge.  Some  security  leaders  still— still!— trot 
out  low-level  metrics,  speak  in  technical 
gibberish  and  focus  their  arguments  on  what 
“must”  be  done  according  to  a  security  code 
of  honor  that  must  come  off  to  outsiders  as 
downright  medieval. 

How  do  we  bust  out  of  that  rut? 


Our  cover  story  this  month  offers  up  the 
perspective  of  four  security  experts  who  left 
the  rut  completely  by  moving  into  roles  out¬ 
side  of  security.  One  is  now  a  retail  CEO-John 
Hartmann,  who  in  his  former  role  as  CSO  of 
Cardinal  Health  helped  advise  our  launch  of 
CSO  back  in  the  day.  Two  of  our  panelists  are 
now  based  overseas.  One  is  in  project  manage¬ 
ment;  another  is  a  journalist. 

So  how  have  their  perspectives  changed? 
CSO  contributor  Mary  Brandel  asked  each 
of  the  panelists  what  they  wish  they’d  better 
understood  back  in  their  security  days.  Their 


observations  and  anecdotes  are  entertaining 
as  well  as  informative.  Ultimately,  by  sharing 
their  experiences  here,  we  hope  to  help  get 
you  out  of  the  ineffective  executive  communi¬ 
cation  rut  for  good. 

-Derek  Slater,  dslater@cxo.com 


Editor  in  Chief  Derek  Slater 
Senior  Editors 
Bill  Brenner,  Joan  Goodchild 
Copy  Editor 
Colleen  Barry 
Editorial  Administrator 
Pat  Josefek 
Contributors 

Taylor  Armerding,  Mary  Brandel, 
John  E.  Dunn,  Elisabeth  Horwitt 
George  V.  Hulme,  Gregg  Keizer, 
Jeremy  Kirk,  Richard  Power, 
Jaikumar  Vijayan,  Bob  Violino 
DESIGN 

Executive  Director,  Art  and  Design 

Mary  Lester 

Art  Director  Steve  Traynor 

RESEARCH 

Research  Manager  Carolyn  Johnson 

TECHNICAL  ADVISORY  BOARD 

Jason  Cowling 

Jeremiah  Grossman,  WhiteHat  Security 
Frank  Murphy,  TBG  Security 
Stephen  Northcutt,  SANS  Institute 
Richard  Power,  Carnegie  Mellon  CyLab 

EDITORIAL/ADVERTISING/ 
BUSINESS  OFFICES 

492  Old  Connecticut  Path, 

P.O.  Box  9208, 

Framingham,  MA  01701-9208 
Main  phone  number:  508  872-0080 


IDG  Enterprise 

An  IDG  Communications  Company  ^ 

INTERNATIONAL  DATA  GROUP 

Chairman  of  the  Board 
Patrick  J.  McGovern 
IDG  COMMUNICATIONS,  INC. 

CEO  Bob  Carrigan 
Chief  Content  Officer 

John  Gallant 


#BPA 


WORLDWIDE" 


2  www.csoonline.com  June  2012 


Photo  by  Tim  Llewellyn 


mmm 


"oducing  iCLASS®  SET 
enabled  with  the  Secure 

Identity  Object 
(SIO)  model. 


I'HTfl 


mm 


The  object 
is  Portable, 
Flexible  and 
More  Secure. 


Ummi j 


CLASS  SE'Card 


Introducing  the  next  generation  of  access 
control.  The  platform  that  simplifies  everything. 


Learn  about  SIO. 

hidglobal.com/sio 
or  scan  this  with 
a  QR  reader 


iCLASS®'  SE™  protects  the  integrity  of  your  identities,  regardless  of  the  card  platform.  It’s  also 
amazingly  flexible  —  use  multiple  form  factors  with  an  access  control  solution  to  create  your 
ideal  product  today,  then  change  it  down  the  road  as  your  business  needs  evolve  by  simply 
reprogramming  it. 

Powerful,  adaptable  and  designed  to  be  energy  efficient,  iCLASS  SE  is  truly  the  next 
generation  in  access  control.  For  more  information,  visit  hidglobal.com/secure-CSO 


[  FROM  THE  PUBLISHER  ] 


Alas,  poor  BlackBerry,  I  knew  it  well. 
Apologies  for  quoting  Hamlet,  but  it 
seems  appropriate. 

I  got  my  first  BlackBerry  in  the  late 
’90s.  It  was  a  pager,  and  it  was  great.  I  had 
never  heard  of  Research  in  Motion,  but  an  ISP 
bartered  with  my  company  to  get  my  team 
using  the  devices.  They  were  pretty  cool  for 
the  time.  And  they  always  worked.  We  didn’t 
give  a  lot  of  thought  to  security  back  then,  but 
as  I  understand  it,  they  were  pretty  secure. 

I’ve  used  lots  of  BlackBerry  devices  over 
the  years,  as  they  became  a  ubiquitous  busi¬ 
ness  tool.  They  always  did  their  job:  allowing 
me  to  access  corporate  information  when  I 
couldn’t  or  chose  not  to  get  on  the  corporate 
network.  The  form  factor  was  and  continues 
to  be  good,  with  a  full  physical  keyboard  that 
many  prefer  over  the  virtual  keyboards  of  iOS 
devices.  As  BlackBerrys  became  smartphones, 
their  security  and  manageability  remained 
good.  That’s  why  they’ve  been  an  enterprise 
favorite.  You  could  lock  and  wipe  them 
remotely,  if  need  be.  You  controlled  all  levels 
of  access  and  support.  In  many  ways,  they 
were  better  than  some  laptop  systems. 

There  I  go,  talking  about  BlackBerrys  in  the 
past  tense.  But  the  past  tense  is  where  they 
are  headed.  Scores  of  businesses  are  allowing 
the  BlackBerry  to  die  through  attrition,  and 
they  long  for  the  day-not  far  off-when  they 
will  be  able  to  unplug  their  BlackBerry  Enter¬ 
prise  Servers  and  just  rely  on  ActiveSync.  The 
BlackBerry  is  succumbing  to  usability  and  the 
consumerization  of  IT. 

It’s  a  tool  with  good  manageability  and 
security,  but  BlackBerry’s  user-friendliness  has 
been  put  to  shame  by  iPhones  and  Androids, 
cool  devices  that  were  designed  with  the  end 
user  in  mind,  but  with  little  regard  for  the 
demands  of  the  enterprise.  They  have  ques¬ 
tionable  security  and  manageability,  which 


can  expose  the  business  to  unwelcome  risks. 

But  let’s  be  honest:  This  isn’t  the  first  time 
this  has  happened  to  enterprise  IT.  Remember 
the  PC  revolution?  It  began  at  home.  Those 
dumb  terminals  went  the  way  of  the  dinosaurs. 
So  is  it  now  with  BlackBerrys,  I  fear.  Will  we 
survive?  Sure.  But  we  need  to  change  how  we 
think  about  mobile  devices,  and  we  are  woe¬ 
fully  behind  the  curve  on  this  one. 

As  we  talk  about  all  these  options,  we’re 
speaking  of  apples  and  oranges.  We  talk  about 
BlackBerrys  vs.  iPhones  vs.  Android  phones. 
BlackBerry  is  a  single  hardware  and  software 
platform,  as  is  iOS  with  iPhones  and  iPads. 
Android  is  a  platform  with  many  hardware 


options,  some  of  which  can  be  made  very 
secure  and  some  of  which  don’t  really  care 
about  security.  Even  how  we  define  security  for 
these  devices  remains  a  topic  of  debate. 

But  at  the  end  of  the  day,  we’re  just  living 
through  another  technology  revolution.  We’ll 
figure  it  out.  We  always  do.  RIP,  BlackBerry. 

-Bob  Bragdon,  bbragdon@cxo.com 


P,  BlackBerry 


Advertiser  Index 

ASIS  International . 19 

Cisco  Systems,  Inc . C4 

CIO  Executive  Council . 29 


CSO . 8 

Executive  Women’s  Forum _ 25 

Hewlett-Packard  Development 
Co.,  LP . 11 


HIDCorp . 3 

IBM  Corp..' . C2 

Quantum  Secure  Inc . 5 

Watch  Dox . C3 


EXECUTIVE  COMMITTEE 

President  &  CEO 

Michael  Friedenberg 

Executive  Assistant  to 
the  President  &  CEO  Pamela  Carlson 

SVP  of  Human  Resources 

Patricia  Chisholm 

SVP  of  Events  Ellen  Daly 

SVP  &  Chief  Content  Officer 

John  Gallant 

SVP  of  Digital  Brian  Glynn 

SVP  of  Strategic  Programs  &  Custom 
Solutions  Group  Charles  Lee 

SVP,  Group  Publisher  &  CMO 

Bob  Melk 

SVP  SGeneral  Manager,  Online 
Operations  Gregg  Pinsky 

SVP  of  DEMO  Neil  Silverman 

SVP  &  COO  Matthew  Smith 

SVP  &  General  Manager,  CIO 
Executive  Council  Pam  Stenson 

SVP  of  Digital,  ft  Publisher 

Sean  weglage 

SALES 

Publisher  Bob  Bragdon 

Senior  National  Sales  Manager 

Per  Melker 

East  Coast  Regional  Director, 
Integrated  Sales  Roz  Burke 

Account  Director,  Integrated 
Sales  West  Mary  Hazelton 

Sales  Associate  Sarah  Nadeau 

INTEGRATED  MEDIA 
AND  ONLINE  SALES 

East  Coast  Online  Regional  Sales 
Manager  Richard  Hartman 

West  Coast  Online  Regional  Sales 
Manager  Erika  Karr 

Central  Online  Regional  Sales 
Manager  Stacy  Bryne 

Director  of  Ad  Operations  ft  Project 
Management  Bill  Rigby 

Director,  Online  Account 
Services  Danielle  Tetreault 

PRODUCTION 

VP  Production  Services  Chris  Cuoco 
Production  Manager  Heidi  Broadley 

MARKETING 

Vice  President,  Marketing 

Sue  Yanovitch 

Marketing  &  PR  Manager 

Lynn  Holmlund 

LIST  SERVICES 

Contact  Steve  Tozeski  of  IDG  List 
Services  at  508  820-8106  or 
stozeski@iidglist.com 

REPRINTS  ft  PERMISIONS 

For  information  about  reprints  and 
copyright  permissions,  please  contact 
The  YGS  Group.  800-290-5460, 
ext.  100.  cso@theygsgroup.com 


4  www  csoonline.com  June  2012 


Photo  by  Christopher  Navin 


Do  you  know  your  physical  security 

access  infrastructure  may  be  open 
to  insider  and  outsider  threats? 


Take  Control  of  your  Physical  Security 
Infrastructure  with  SAFE  Solutions 


>  Government 

>  Airports  and  Ports 

>  Telecom 

>  Energy  and  Utilities 

>  Healthcare,  Pharmaceuticals 

>  High  Technology 

>  Financial 

>  Higher  Education 

>  Transportation 


Our  SAFE  Software  Suite  is  a  Physical  Identity  and  Access 
Management  System  that  enables  a  global  approach  to  automate 
and  streamline  your  Physical  Security  Infrastructure.  With  SAFE 
Solutions  from  Quantum  Secure,  automate  and  streamline 
physical  access  management,  gain  visibility  and  take  control  of 
on/off  boarding  processes  across  global  facilities,  and  closely 
manage  restricted  areas  to  ensure  compliance  and  reduce 
corporate  risks. 


SAFE  delivers  attestation  reports  for  compliance  to  regulations 
such  as  SOX,  NERC,  PCI,  HIPAA  and  more.  SAFE  also  performs 
insider  risk  assessment  with  facility  access  analytics,  and  will 
operate  with  disparate  physical  access  (PACS)  and  HR  systems. 
The  SAFE  Software  Suite  is  designed  to  create  unprecedented 
efficiencies  and  lower  all  physical  access  related  risks. 


>  quantumsecure.com 


©  2012  Quantum  Secure,  Incorporated.  All  rights  reserved. 


What’s  on  your  mind?  Security  leaders  discuss 
and  debate  at  www.csoonlme.com 


BLOG  POST 

Is  the  Time 
Right  to  Spread 
Out  Your  Risk? 

For  many  years,  security  profes¬ 
sionals  have  lived  by  the  three 
pillars  of  risk  management- 
avoid,  treat  and  accept.  These 
great  tenets  have  served  the 
profession  well,  enabling  CISOs  to  build 
appropriately  secure  networks  at  a  toler¬ 
able  level  of  cost.  Unfortunately,  as  evi¬ 
denced  by  the  litany  of  security  breaches 
we  have  seen  over  the  past  12  months,  it’s 
clear  that  the  landscape  is  changing.  More 
than  ever  before,  security  is  clearly  a  no-win 
game. 

The  high-profile  attackers,  state-spon¬ 
sored  or  otherwise,  are  one  threat-but 
it  goes  deeper  than  this.  The  keys  to  the 
kingdom  are  no  longer  in  the  hands  of  the 
generals  and  policymakers;  their  decisions 
and  discussions  are  enabled  by  email,  IM 
and  IP  telephony,  all  of  which  sit  firmly 
in  the  domain  of  the  IT  department  and 
systems  administrator-and  stressed, 
poorly  paid  employees  do  not  make  the 
ideal  custodians  of  such  critical  informa¬ 
tion.  As  an  example,  Anonymous  claims 
to  have  access  to  every  classified  govern¬ 
ment  database  in  the  United  States,  but 
they  didn’t  hack  them-disaffected  systems 
administrators  and  other  employees  sim¬ 
ply  opened  the  doors  for  them  or  sent  them 
the  access  codes. 

As  the  broadening  gap  between  our 
ambitions  for  a  secure  enterprise  and  our 
abilities  to  deliver  on  such  a  vision  become 


self-evident,  the  time  has  come  to  pay 
equal  attention  to  the  poor  cousin  of  risk 
management:  transfer.  For  many  CISOs, 
risk  transference  is  a  topic  that  is  largely 
theoretical  as,  even  when  a  task  is  out¬ 
sourced,  the  risk  associated  with  a  breach 
commonly  remains  with  the  data-owning 
organisation.  Cyber  insurance  offers  a  dif¬ 
ferent  solution. 

Theoretically,  cyber  insurance  can 
enable  a  company  to  experience  an  infor¬ 
mation  breach  and  avoid  many  of  the  nega¬ 
tive  financial  and  reputational  impacts. 
This  sounds  ideal,  but  many  CISOs  are 
still  reluctant.  Could  it  be  the  cost,  the 
complexity  of  getting  the  right  policy,  or  is 
it  a  simple  lack  of  faith  that  an  insurance 
company  will  pay  out  when  a  breach  actu¬ 
ally  occurs? 

-Andrew  Rose,  Forrester 

BLOG  POST 

Business 
Continuity 
Standards 
Don’t  Matter 

The  current  state  of  business 
continuity  management 
(BCM)  standards?  Abysmal. 
According  to  a  joint  Forrester 
and  DRJ  study,  69  percent  of 
respondents  said  that  British  Standard 
(BS)  25999  did  not  influence  or  only  some¬ 
what  influenced  BCM  at  their  company. 
It’s  not  much  better  for  NFPA  1600—70 
percent  of  respondents  said  that  it  did  not, 


or  only  somewhat,  influenced  their  BCM. 
I  find  this  shocking.  BS  25999  is  one  of 
the  most  widely  recognized  standards  for 
BCM  worldwide  and  NFPA  1600  has  been 
popular  in  the  United  States  for  years.  In 
addition,  the  Department  of  Homeland 
Security’s  Private  Sector  Preparedness 
Program  (PS-Prep)  recognizes  both  of  these 
standards  for  assessing  preparedness. 

If  you’re  wondering  what  standards 
respondents  named  as  relevant  in  the 
“Other”  category,  it  was  mostly  the  Federal 
Financial  Institutions  Examination  Coun¬ 
cil  (FFIEC)  and  NIST.  Not  surprising,  but 
also  a  little  disheartening.  It’s  clear  that 
unless  compelled  to  do  so,  most  BC  profes¬ 
sionals  would  not  adopt  or  follow  a  BCM 
standard. 

Even  if  you  don’t  intend  to  certify  to 
these  standards,  they  should  strongly 
influence  your  BCM  program.  Why? 

■  They  provide  a  foundation  and  a 
common  vocabulary  for  BCM  best  prac¬ 
tices  and  processes.  This  is  important  if  you 
need  to  implement  BCM  across  a  geograph¬ 
ically  dispersed  enterprise  or  you  have  to 
work  with  a  multitude  of  global  partners 
on  joint  preparedness. 

■  These  standards  represent  the  input 
and  recommendations  of  hundreds  of  BCM 
professionals  and  industry  experts.  Rather 
than  reinvent  the  wheel,  you  can  take 
advantage  of  years  of  expertise  and  the  les¬ 
sons  learned  from  your  peers. 

There  are  also  a  few  good  reasons  why 
you  should  consider  certification  in  the 
long  term: 

■  It  challenges  your  BCM  program  and 
your  organization  to  reach  a  higher  level  of 
maturity  and  preparedness.  Not  only  does 
this  make  good  business  sense,  but  I  believe 
preparedness  is  a  fiduciary  responsibility 


6  www.csoonline.com  June  2012 


to  your  employees,  customers,  partners 
and  shareholders. 

■  Partners  may  demand  it  of  you  any¬ 
way.  I’ve  come  across  several  instances 
where  a  large  enterprise  forced  a  small 
partner  to  achieve  certification.  As  new 
business  models  increasingly  rely  on  a  web 
of  third-party  suppliers,  business-process 
outsourcers,  cloud- service  providers  and 
channel  partners,  I  expect  external  audit 
requests  to  increase. 

■  It  can  reduce  the  amount  of  time  it 
takes  to  comply  with  external  audits  of 
your  BCM  program.  When  that  external 
party  comes  knocking  on  the  door  like  a 
raven  from  an  Edgar  Allan  Poe  poem,  how 
much  easier  will  it  be  to  convince  them  of 
your  preparedness  if  you’re  certified? 

■  It  can  provide  a  competitive  advan- 
tage-at  least  in  the  short  term.  I’ve  also 
seen  several  firms  use  certification  as  an 
advantage  over  their  competitors,  particu¬ 
larly  with  customers  like  financial  institu¬ 
tions  that  demand  readiness. 

And  before  everyone  sends  me  a 
bevy  of  snide  tweets  and  leaves  me  angry 
blog  comments,  I  know  that  certification 
does  not  ensure  complete  readiness  any 
more  than  compliance  equals  security. 
However,  I  do  think  it  signifies  a  base-level 
readiness  and  a  commitment  and  serious¬ 
ness  about  BCM. 

I’m  curious  to  hear  from  all  of  you- 


what  standards  are  you  using  (or  not) 
as  part  of  your  BCM  programs?  What 
made  you  decide  to  use  (or  not)  certain 
standards? 

—Stephanie  Balaouras,  Forrester 

BLOG  POST 

Consider  Data 
Privacy  When 
Building  Apps 

As  almost  every  type  of  busi¬ 
ness  is  rushing  to  develop 
one  or  more  apps  for  use 
on  mobile  devices  by  their 
employees,  business  part¬ 
ners  or  customers,  issues  relating  to  data 
security  are  frequently  overlooked  or  given 
short  shrift. 

While  obvious  issues  are  addressed 
(e.g.,  where  is  the  primary  location  for 
data  storage),  other  issues  remain.  For 
example,  most  apps  involve  the  integra¬ 
tion  of  components  from  a  variety  of 
third-party  developers.  Those  third  par¬ 
ties  may  require  access  to  user  data  as  part 
of  their  license  agreements.  A  bar  code  or 
QR  code  scanning  module  may  permit  the 
licensor  access  to  all  sorts  of  user  infor¬ 
mation  regarding  location,  time  and  use 


HOWTO 

REACH 

US 

You  can  contact  us 
directly  or  post  your 
thoughts  on  specific 
articles  and  blogs  at 
www.CSOonline.com. 

Derek  Slater,  Editor  in  Chief 
dslaterfScxo.com 
508  935-4213 
Twitter:  (Sderekcslater 

Bill  Brenner,  Senior  Editor 
bbrennerfBcxo.com 
508  988-7587 
Twitter:  (Sbillbrenner70 

Joan  Goodchild,  Senior  Editor 
jgoodchildfScxo.com 
508  988-7994 
Twitter:  (Smsjoanieg 

Subscriber  Services 

Phone:  866  354-1125 
Fax:  847  564-9453 
Email:  csofSomeda.com 

Reprints  &  Permissions 

For  information  about  reprints 
and  copyright  permissions, 
please  contact  The  YGS 
Group,  800  290-5460,  ext. 

129,  csofBtheygsgroup.com. 


of  the  module.  Such  uses  may  have  to  be 
disclosed  to  users  and  could  violate  some 
applicable  laws. 

Many  third-party  licenses  have  broad 
audit  rights,  permitting  the  licensor  access 
to  the  licensee’s  facilities,  systems  and  data. 
I  have  written  about  such  audit  rights  in 
past  posts. 

The  point  of  the  foregoing  is  to  empha¬ 
size  the  need  in  app  development  to  trace 
every  possible  means  of  access  to  user  data 
and  ensure  that  appropriate  protections 
are  in  place.  Without  that  effort,  busi¬ 
nesses  may  be  unpleasantly  surprised  to 
find  their  data  is  being  placed  at  risk  by 
unexpected  sources.  —Michael  Overly 


Photo  by  Sean  Grant,  Flickr 


June  2012  www.csoonline.com  7 


To  register  for  Insider  exclusive  content  visit: 

www.csoonline.com/insiders/index 


Want  to  be 
in  the  know 
about  the 
latest 
security 
topics  and 
trends? 


Become  a  CSO 

You’ll  gain  exclusive  access  to  premium 

content  and  resources,  including: 

■  What  to  buy.  In-depth  reviews  of  security 
and  IT  solutions 

■  Executive  and  Peer  Interviews  and  Insights. 
Deep  dives  with  the  industry’s  top  thinkers 

■  Practical  tips.  How-to  articles  for  security 
and  IT  professionals 

■  Exclusive  research  &  analysis.  Incisive  reports, 
case  studies,  and  more 

■  How  to  get  ahead.  Career  advice  from  industry 
experts  and  peers 

■  Invitations  to  select  events.  Get  the  inside  edge 


We're  dealing  with  somethingfar  more  unacceptable 
than  security  theater.”  pageio 


TRENDS,  STATS  AND  FAST  FACTS 
Edited  by  Bill  Brenner 


Cyberattacks  Threaten  Natural  Gas  Pipelines 

Some  companies  may  have  already  been  breached  by  spear  phishing  attacks 


The  latest  incident-response  report  from 
the  Industrial  Control  Systems  Cyber 
Emergency  Response  Team  (ICS-CERT)- 
part  of  the  Department  of  Homeland 
Security  (DHS)-warns  of  an  ongoing  cyberat¬ 
tack  against  the  computer  networks  of  U.S. 
natural  gas  pipeline  companies. 

ICS-CERT  says  it  first  identified  a  series  of 
active  cyber  intrusions  targeting  natural  gas 
pipeline  companies  in  March.  Various  sources 
provided  information  to  ICS-CERT  describing 
targeted  attempts  and  intrusions  into  multiple 
organizations,  the  report  says. 

Analysis  of  the  malware  and  character¬ 
istics  of  the  attacks  link  it  back  to  a  single 
campaign,  ICS-CERT  adds. 

“The  campaign  appears  to  have  started 
in  late  December  2011  and  is  active  today,” 
ICS-CERT  says.  “Analysis  shows  that  the  spear¬ 
phishing  attempts  have  targeted  a  variety  of 
personnel  within  these  organizations;  however, 
the  number  of  persons  targeted  appears  to  be 
tightly  focused.  In  addition,  the  emails  have 
been  convincingly  crafted  to  appear  as  though 
they  were  sent  from  a  trusted  member  inter¬ 
nal  to  the  organization.” 

The  advisory  adds:  “ICS- 
CERT  is  currently  engaged 
with  multiple  organizations  to 
identify  the  scope  of  infection 
and  provide  recommendations 
for  mitigating  it  and  eradicating 
it  from  networks.  ICS-CERT  has 
conducted  a  series  of  briefings  across 
the  country  to  share  information  related  to  the 


intrusion  activity  with  asset  owners/operators. 
ICS-CERT  will  continue  to  work  with  private 
sector  and  government  partners  to  respond  to 
this  and  other  cyber  threats.” 

Security  experts  say  we  should  expect 
many  more  attacks  on  critical  infrastructure 
in  the  future. 

‘Gleaning  intelligence  to  ascertain 
empirical  information  regard¬ 
ing  actors,  attacks,  and  even 
motives  is  increasingly  com¬ 
mon,”  says  Brian  Contos,  senior 
director  and  customer  security 
strategist  at  McAfee.  “Organiza¬ 
tions  have  been  doing  this  for 
years  with  honeypots  and  related 
investigative  controls.  Many  organizations 


within  the  public  sector  have  been  engaging 
in  what  is  called  cyber  readiness,  which  boils 
down  to  having  holistic  operational  visibility 
for  more  rapid  threat  acquisition  and  response. 
For  this  to  be  effective,  a  heightened  level 
of  intelligence  is  required.  What  we  thought 
kept  us  secure  the  last  20  years  won’t  keep  us 
secure  the  next;  as  the  enemy  matures  and 
adapts,  so  must  we.” 

Eric  Chiu,  president  and  founder  of  cloud 
security  company  HyTrust,  says,  “Attacking 
critical  commercial  and  public  infrastructure 
is  nothing  new,  unfortunately,  and  seeing 
attempts  to  gain  access  into  critical  national 
infrastructure  highlights  the  need  to  secure 
access  with  technologies  and  processes  that 
will  prevent  undesirable  incidents." 

The  need  for  this  is  grows  dramatically 
as  organizations  move  critical  infrastructure 
and  applications  to  the  cloud,  where-in  the 
wrong  hands-data  can  be  copied,  deleted,  or 
moved  from  anywhere  on  the  globe  virtually 
undetected,  he  says. 

The  Christian  Science  Monitor,  which 
was  the  first  to  report  the  attacks,  quoted 
unidentified  sources  as  saying  that  DHS  has  so 
far  released  at  least  three  confidential  “amber" 
alerts  warning  gas  pipeline  companies  about 
the  attacks. 

The  DHS  alerts  were  far  more  specific  than 
the  ICS-CERT  advisory  and  contained  details 
like  file  names,  IP  addresses  and  other  mark¬ 
ers  that  a  company  could  use  to  see  if  it  was 
breached,  the  Monitor  said  in  its  report. 

-Bill  Brenner  and  Jaikumar  Vijayan 


Photo  by  U.S.  Bureau  of  Land  Management 


June  2012  www.csoonline.com  9 


>>  BRIEFING 


SALTED  HASH 

I  Was  wrong  About  the  TSA 


Children  have  their  boarding  passes  checked  by  a  Transportation  Security  Administration 
employee  at  a  checkpoint  at  Washington  Reagan  National  Airport. 


“I’M  GOING  to  go  slap  the  TSA  around 
in  a  blog  post,”  I  told  CSO  Editor-In- 
Chief  Derek  Slater.  He  laughed  heartily. 
Around  here,  we  jokingly  pitch  articles 
knocking  the  Transportation  Security 
Administration  (TSA)  because,  let’s  face 
it,  you  can  never  lose  with  that  chestnut. 

But  this  isn’t  about  taking  a  cheap 
shot.  It’s  about  me  reevaluating  some¬ 
thing  I  wrote  about  the  TSA  earlier. 

On  a  trip  to  LA  last  fall,  I  saw  some 
folks  stumbling  through  the  TSA  gauntlet 
in  what  I  thought  were  foolish  ways— the 
type  of  annoying  stuff  that  unseasoned 
travelers  do  that  hold  up  the  line  for 
everyone  else. 

On  the  plane,  I  wrote  a  post  about 
how  sometimes,  it’s  not  the  TSA’s  fault. 

I  took  lots  of  heat  for  that,  as  I  knew  I 
would.  Some  accused  me  of  supporting 
a  fascist  regime.  I  still  feel  the  same  way 
about  a  few  things,  particularly  that 
some  people  make  the  TSA  experience 
harder  on  themselves  and  everyone  else 
than  is  necessary.  But  the  facts  are  add¬ 
ing  up,  and  I  increasingly  dislike  what 
I’m  finding. 

John  Adams  once  said,  “Facts  are 
stubborn  things;  and  whatever  may  be 
our  wishes,  our  inclinations,  or  the 
dictates  of  our  passion,  they  cannot  alter 
the  state  of  facts  and  evidence.”  And  so 
it  is  in  this  case.  The  evidence  against 
the  TSA  is  piling  up  like  garbage.  Some 
of  the  it  can  be  found  in  videos  of  TSA 
abuse  that  I  recently  posted  here:  http:// 
bbgs.csoonline.com/node/2095.  And  the 
evidence  keeps  adding  up  in  the  news. 

Take  a  recent  blog  post  by  Fox 
News  reporter  Todd  Starnes,  where  he 
discusses  an  incident  in  which  a  4-year- 
old  girl  was  labeled  a  “high  security 
threat”  for  hugging  her  grandmother  at 
Wichita  Mid-Continent  Airport.  Here’s 
an  excerpt: 

“Michelle  Brademeyer,  of  Missoula, 
Mon.,  wrote  about  the  incident  on  her 
Facebook  page,  alleging  TSA  officers 
called  for  backup  after  her  daughter 
would  not  stop  crying  and  at  one  point 
was  ordered  to  spread  her  legs.... 

ICSOonline’s  Salted  Hash 

blog  and  newsletter  covers  the 
news  as  it  happens: 
blogs.csoonline.com/blog/cso 


“The  TSA  confirmed  to  Fox  News  that 
an  incident  occurred  at  the  airport— but 
defended  the  way  their  officers  handled 
the  situation. 

“‘TSA  has  reviewed  the  incident  and 
determined  that  our  officers  followed 
proper  current  screening  procedures  in 
conducting  a  modified  pat-down  on  the 
child,’  said  Sterling  Payne,  of  the  TSA 
Office  of  Public  Affairs.” 

I  can’t  ignore  what’s  in  front  of  me.  I 
have  to  admit  it:  I  was  wrong. 

Much  has  been  said  and  written 
accusing  the  TSA  of  being  nothing  more 
than  security  theater— something  that’s 
there  for  show,  to  make  people  feel  safer, 
even  though  in  reality  we’re  not  all  that 
much  safer  than  we  were  on  9/11. 

But  it’s  becoming  clear  that  we’re 
dealing  with  something  far  more  unac¬ 
ceptable  than  security  theater.  This  is  Big 
Brother  chipping  away  at  our  freedom  of 
movement,  and  abusing  power  on  a  daily 
basis  in  the  process,  all  in  the  name  of 
security. 

■  Calling  for  backup  because  you’ve 
scared  a  little  girl  into  a  fit  of  tears? 

■  Detaining  a  young  mom  for  hours— 
making  her  miss  a  flight— because 


she  doesn’t  want  the  breast  milk  she 
pumped  to  be  X-rayed? 

■  Making  an  elderly  couple  remove  their 
shoes  and  belts  like  they’ve  just  arrived 
at  prison  to  serve  out  a  sentence? 

It’s  not  OK.  Not  in  the  United  States 
of  America. 

Some  have  suggested  that  President 
Obama  and  his  predecessor,  George 
W.  Bush,  deserve  the  most  blistering 
criticism  for  allowing  it  to  get  this  bad. 
Indeed,  they  did  play  a  role.  But  the  per¬ 
son  most  to  blame  is  staring  at  many  of  us 
in  the  mirror. 

After  9/11,  Americans  were  so  freaked 
out  and  so  anxious  for  security  that  they 
allowed  the  government  to  run  wild. 

The  Patriot  Act  and  the  TSA  are  prime 
examples  of  what  happened  next. 

I’m  responsible  for  this,  too.  I’m  the 
guy  who  skipped  a  relative’s  wedding  10 
days  after  9/11  because  I  was  too  freaked 
out  about  boarding  a  plane.  Back  then, 

I  would  have  felt  better  seeing  security 
agents  groping  people  in  the  airport  line 
in  search  of  guns  and  knives. 

Shame  on  me  for  that,  and  shame  on 
me  for  sticking  up  for  the  TSA  last  fall. 

-B.B. 


10  www.csoonline.com  June  2012 


Photo  by  Jason  Reed/Reuters 


EVERYWHERE 
AT  ONCE? 


You  can't  stop  threats  if  you  can't  spot  them.  That's 
why  HP  Enterprise  Security  offers  proven  solutions 
that  deliver  context-aware  visibility  into  security 
risk.  There's  no  better  way  to  proactively  detect 
security  issues  and  drive  situational  awareness 
across  your  applications,  operations,  and 
infrastructure.  The  HP  Security  Intelligence  and 
Risk  Management  platform  provides  integrated 
correlation,  application  protection  and 
network  defenses  that  can  secure  modern 
IT  environments  from  sophisticated  threats. 


For  more  information  go  to 
www.hpenterprisesecurity.com 


Advanced  protection 
against  advanced  threats 


ENTERPRISE  SECURITY 

.  .  .  :.yKW 


Copyright  ©2011  Hewlett-Packard  Development  Company,  L.P. 


>>  BRIEFING 


INFORMATION  SHARING 

Red  Sky  Alliance:  Playing  Team  Defense 

Chris  Camacho,  information  security  officer  at  The  World  Bank  Group,  explains  how  an 
online  community  helps  member  organizations  collaborate  against  threats 


One  of  the  biggest  challenges  in  infor¬ 
mation  security  today  is  information 
sharing.  Specifically,  the  issue  is  how 
much  to  share,  with  whom  and  under 
what  circumstances.  One  organization  trying 
to  figure  that  out  is  Red  Sky  Alliance. 

The  mission  of  the  global  members-only 
organization  is  to  build  a  trusted  online  com¬ 
munity  to  identify  and  neutralize  threats  to  the 
membership  from  organized,  covert,  targeted, 
espionage,  criminal  or  advanced  cyber 
threats.  Bob  Violino  recently  interviewed 
Chris  Camacho,  information  security  officer  at 
The  World  Bank  Group,  a  member  of  Red  Sky, 
about  the  alliance  and  how  it  can  help  member 
organizations. 

What  is  the  Red  Sky  Alliance,  and  what 
does  it  hope  to  achieve? 

Camacho:  As  a  member  of  Red  Sky 
Alliance,  I  would  call  it  a  secure  portal  for  real¬ 
time  information  sharing  and  collaboration 
with  peers  in  information  security.  It  aims  for 
a  secure  manner  of  sharing  cyberintelligence 
between  members  in  different  industries.  So 
if  a  financial  corporation  shares  an  incident  or 
event,  then  someone  in  government  or  health¬ 
care  can  be  prepared  to  share  if  they  have  also 
seen  the  event  recently. 


When  did  The  World  Bank  Group 
become  a  member  of  Red  Sky,  and  what 
were  the  main  reasons  for  joining? 

We  have  been  a  member  since  inception. 
Our  main  reason  was  to  find  a  trusted  method 
of  sharing  and  receiving  information  that  has 
back-end  support  and  data  sets  to  provide 
more  context  on  findings.  Due  to  the  increase 
of  targeted  attacks,  it’s  best  to  know  too  much 
information  rather  than  not  much  at  all.  The 
more  information  that  can  be  shared  by  others, 
along  with  reports  and  context  from  Red  Sky, 
the  better  for  all  members. 

Can  you  provide  an  example  of  how  the 
portal  has  enabled  real-time  information 
sharing  about  threats  and  defenses? 

On  a  Saturday,  there  was  a  malicious 
sample  shared  in  the  portal.  Within  the  next 
couple  of  hours,  there  was  analysis  of  the 
malware,  full  indicators  and  more  informa¬ 
tion  on  the  threat  and  what  could  be  related, 
which  every  member  could  take  back  to  their 
networks  and  search  for  or  add  detection  for. 
Such  information  was  unknown  to  members 
until  other  members  shared  it. 

How  big  a  role  does  the  portal  play  in 
your  organization's  overall  information 
security  strategy? 


The  portal  is  open  on  my  desk  at  all  times 
waiting  for  someone  to  share  new  reports  or 
information.  If  a  new  report  or  threat  is  shared, 
we  immediately  digest  and  process  the  details. 

Why  is  the  human  element  of 
information  sharing,  enabled  by  the 
alliance,  so  important  in  defense  against 
security  threats? 

Any  organization  can  subscribe  to  feeds  or 
services  that  are  machine  generated.  What  is 
nice  about  the  human  element  is  the  ability  to 
query  an  actual  person  for  more  information 
or  get  responses  that  make  sense  to  a  specific 
environment. 

The  information  shared  by  an  analyst 
providing  more  context  and  research  has 
already  been  gathered  and  dissected  before 
being  shared  with  others.  Typically,  with 
machine-automated  feeds,  there  is  too  much 
information  and  it  takes  time  to  sort  to  get  to 
the  context  that  matters  most. 

What  are  some  of  the  other  benefits  of 
being  a  member  of  the  alliance? 

As  Red  Sky  continues  building  up  its  infra¬ 
structure,  l  like  the  back-end  support  of  the 
Norman  Sandbox,  the  ability  to  reach  out  to 
other  analysts  directly  for  additional  support. 

-Bob  Violino 


HACKER  TOOLS 

Do-It-Yourself  DDoS  Tool  Still  Going  Strong 


The  Low  Orbit  Ion  Canon  (LOIC)  tool,  which  allows  users  to 
launch  a  do-it-yourself  distributed-denial-of-service  (DDoS) 
attack,  recently  surpassed  its  download  numbers  for  the 
whole  of  2011,  security  firm  Imperva  reports.  By  April  22,  the 
LOIC  matched  last  year’s  381,976  total  downloads,  and  is  on  track 
to  be  downloaded  well  over  a  million  times  in  2012  at  the  current 
rate  of  nearly  3,500  times  per  day. 

As  in  2011,  the  United  States  is  the  main  site  of  LOIC  down¬ 
loads  with  73,000,  followed  this  year  by  France,  Brazil,  the 
Ukraine  and  Poland,  in  that  order.  The  UK  has  fallen  from  fifth 
place  with  16,734  downloads  in  2011  to  eighth  place  so  far  in  2012- 
but  with  12,392  downloads  in  only  112  days,  the  UK  will  still  easily 
surpass  its  total  from  last  year. 


The  continued  popularity  of  the  LOIC  as  a  download  is  all  the 
more  surprising  given  that  it  can  also  be  launched  as  a  Java  tool 
from  a  website  without  running  a  dedicated  app.  This  method  is 
far  less  efficient  but  is  just  as  susceptible  to  being  traced  by  IP 
address.  One  possibility  is  that  LOIC  is  now  being  used  to  attack 
targets  not  likely  to  complain  to  the  authorities,  such  as  the 
unpopular  governments  of  Syria  or  Iran. 

Earlier  this  year,  after  the  arrest  of  Megaupload  founder 
Kim  Schmitz,  someone  altered  the  Pastebin  download  link  for 
the  Slowloris  DDoS  tool  to  point  to  an  online  banking  Trojan. 
Thousands  of  people  may  have  installed  a  keylogger  when  they 
thought  they  were  downloading  a  way  to  attack  authorities  in 
revenge  for  Schmitz’s  arrest.  -John  E.  Dunn 


12  www.csoonline.com  June  2012 


HACKTIVISM 


Security 
Wisdom  Watch 

War  On  Privacy  edition 

Thumbs  both  ways:  “Stand  your  ground” 
laws.  These  laws-which  allow  the  use 
force  in  self-defense  when  there  is 
reasonable  belief  of  a  threat-could 
be  applied  to  Internet  security.  But 
major  legal  and  ethical  problems 
still  need  to  be  sorted  out. 

Thumbs  up:  Red  Sky  Alliance.  This 
global  members-only  organization 
aims  to  build  a  trusted  online  com¬ 
munity  to  identify  and  neutralize 
threats  to  the  membership  from  orga¬ 
nized,  covert,  targeted,  espionage-related, 
criminal  or  advanced  cyber  threats.  The 
most  promising  part  is  that  it  could  make 
information  sharing  easier  and  safer  among 
organizations. 


Thumbs  down:  The  Cyber  Intelligence 
Sharing  and  Protection  Act.  CISPA  is 
the  government’s  attempt  to  help 
companies  and  organizations  share 
information  vital  to  everyone’s  security. 

The  problem,  like  any  government  attempt  to 
legislate  security,  is  that  the  bill  over-reaches, 
giving  entities  the  power  to  dig  deep  into  our 
private  matters.  We  prefer  the  more  private- 
sector  approach  of  the  Red  Sky  Alliance. 


Thumbs  down:  TSA.  We’re  more  than  a 
little  disturbed  by  the  growing  brutal¬ 
ity  of  airport  security  screeners.  Every 
day  we  hear  more  reports  of  invasive 
and  embarrassing  pat-downs  and  children 
being  handled  like  common  criminals.  The 
abuse  doesn’t  make  us  safer  from  terrorism, 
and  it’s  not  the  American  way.  It  has  to  stop. 

Thumbs  Up:  FlyRights  iPhone  app. 

Tired  of  being  groped  by  the  TSA  while 
watching  them  interrogate  your  tod¬ 
dler  for  a  diaper  bulge  that  they  think  is 
a  gun?  Now  you  can  report  these  wrongs 
via  a  new  app  by  the  Sikh  Coalition.  FlyRights 
allows  users  to  report  instances  of  airport 
profiling  in  real  time.  Given  the  growing 
abusiveness  of  the  TSA,  an  app  like  this  has 
unfortunately  become  necessary.  -B.B. 


Enterprises  Brace  for 
Attacks  from  Anonymous 

Experts  say  companies  need  to  be  more  prepared  for 
anything  and  everything,  including  compromises 

Enterprise  security  pros  have  plenty  to  worry  about:  malware,  insiders  stealing 
information,  an  employee  leaving  an  unencrypted  notebook  full  of  gigabytes 
of  intellectual  property  on  a  train.  However,  the  spate  of  hacktivist  attacks 
in  recent  years  from  groups  such  as  Anonymous  and  LulzSec  has  upped  the 
anxiety  level.  So  what  to  do  about  it?  Should  it  change  the  way  organizations  secure 
their  systems? 

The  first  piece  of  advice  is  to  forget  about  security  through  obscurity.  Assume 
you  will  be  a  target.  “One  of  the  interesting  things  about  hactivism  is  that  it  is  diffi¬ 
cult  for  a  company  to  determine  in  advance  whether  it  is  going  to  be  the  subject  of  a 
hacktivist  attack,”  says  Mark  Rasch,  director  of  cybersecurity  and  privacy  consulting 
at  Computer  Sciences  Corporation.  “Take  a  midsize  company  that  manufactures 
widgets  in  Wisconsin.  They  could  easily  ask:  ‘Why  would  hacktivists  be  after  us? 

We’re  not  involved  in  politics.  We  don’t  do  anything  particularly  controversial.’”  But 
there  are  plenty  of  unforeseeable  reasons.  “Suddenly,  the  spokesperson  they  have 
for  their  ads,  who  they’ve  hired  from  their  public  relations  firm,  who  in  turn  hired  an 
ad  firm,  that’s  hired  a  person  to  put  together  an  ad  that  hired  an  actress  who  says 
something  that  offends  some  group.  Now  you’re  off  to  the  races.  The  point  is,  it  may 
be  nothing  they  did.  They  may  be  a  victim  of  circumstance  or  happenstance,"  says 
Rasch. 

“Today, 

security  teams 
also  need  to  be 
aware  of  public 
actions  taken  by 
their  respective 
employers  that 
might  make 
them  a  target, 
and  they  need 
to  be  prepared 
to  react,”  says 
Shawn  Moyer, 
practice  man¬ 
ager  of  research  consulting  at  Accuvant  Labs.  “Fifteen  years  ago,  when  lightning 
struck  an  electric  pole  and  the  lights  went  out,  the  computers  went  dark,  and  every¬ 
body  went  out  and  stood  in  the  hall.  We  learned  that  a  data  center  without  electricity 
is  pretty  useless.  Now  companies  routinely  spend  money  on  backup  power  supplies 
like  emergency  generators.  The  same  now  needs  to  be  true  now  with  the  Internet 
connection.  If  the  electricity  stays  up  but  the  Internet  connection  goes  down,  the 
data  center  is  sort  of  an  expensive  lump  of  metal.  You  need  the  same  reliability  on 
your  Internet  connection,  and  the  Anonymous  attacks  are  good  examples  of  why." 

The  final,  and  perhaps  most  important,  precaution  is  to  bolster  an  organization’s 
ability  to  rapidly  respond  to  incidents.  “We  are  progressing  from  the  idea  where 
you  try  to  secure  your  network  with  essentially  moats  and  castles  to  prevent  every 
attack  to  almost  an  acknowledgement  that  a  determined  attacker  will  likely  find 
some  way  into  some  part  of  your  network,”  says  Rasch. 

-George  V.  Hulme 

June  2012  www.csoonline.com  13 


Photo  by  Vincent  Diamante,  Flickr 


>>  BRIEFING 


OS  VULNERABILITIES 

Apple  Accidentally  Exposes  Clear-Text 
Passwords  in  Recent  Update  to  OSX  Lion 


Apple’s  latest  update  to  OSX  contains 
a  dangerous  programming  error  that 
reveals  the  passwords  for  material 
stored  in  the  first  version  of  FileVault, 
the  company’s  encryption  technology, 
according  to  software  consultant  David  I. 
Emery. 

He  wrote  on  Cryptome  that  a  debugging 
switch  inadvertently  left  on  in  the  current 
release  of  Lion,  version  10.7.3,  records  in 
clear  text  the  password  needed  to  open  the 
folder  encrypted  by  the  older  version  of 
FileVault. 

The  vulnerability  affects  those  who 
upgraded  to  Lion  but  are  using  the  older 
version  of  FileVault.  The  debug  switch  will 
record  the  Lion  passwords  for  anyone  who 
has  logged  in  since  the  upgrade  to  Version 
10.7.3,  released  in  early  February. 

“This  is  what  the  secure  FileVault  parti¬ 
tion  was  supposed  to  protect  against,  after 
all,”  Emery  says. 

Apple  has  two  versions  of  FileVault. 


The  first  version  allowed  a  user  to  encrypt 
the  contents  of  the  home  folder  using  the 
Advanced  Encryption  Standard  with  128-bit 
keys.  An  upgraded  product,  FileVault  2, 
which  shipped  with  OSX  Lion,  encrypts  the 
entire  contents  of  the  hard  drive. 

When  a  user  upgrades  to  Lion 
but  still  uses  the  first  version  of 
FileVault,  the  encrypted  home 
folder  is  migrated.  That  is 
what’s  now  vulnerable  with 
this  security  issue. 

According  to  Emery,  the 
password  is  accessible  to  any¬ 
one  with  root  or  administrator 
access. 

But  what’s  worse  is  that  passwords  can 
also  be  read  another  way.  Emery  explained 
that  passwords  can  also  be  read  by  “booting 
the  machine  into  FireWire  disk  mode  and 
reading  it  by  opening  the  drive  as  a  disk  or 
by  booting  the  new-with-Lion  recovery  parti¬ 
tion  and  using  the  available  superuser  shell 


to  mount  the  main  file  system  partition  and 
read  the  file.  This  would  allow  someone  to 
break  into  encrypted  partitions  on  machines 
[that]  they  did  not  have  any  idea  of  any  login 
passwords  for.” 

There  are  a  couple  of  ways  to 
mitigate  the  problem.  Emery  wrote 
X  that  the  FireWire  disk  and  recov¬ 
ery  partition  attack  can  be 
headed  off  by  using  FileVault 
2.  In  that  case,  an  attacker 
would  have  to  know  at  least  one 
password  before  a  file  could  be 
accessed  on  the  main  partition 
of  the  disk,  he  said. 

Also,  a  firmware  password  could  be 
set  that  would  be  needed  in  order  to  boot 
the  recovery  partition,  external  media  or 
even  enter  the  FireWire  disk  mode.  Emery 
cautioned,  though,  that  Apple  Genius  Bar 
employees  know  a  standard  technique  to 
turn  it  off. 

-Jeremy  Kirk 


Windows  8  Privacy  Worry  Overblown,  Says  Analyst 

Risk  of  contacts  being  cached  locally  is  no  greater  with  Windows  8  than  with  Windows  7,  researcher  claims 


It  sounds  like  a  privacy  hole  big  enough  for  a  truckload  of  your  per¬ 
sonal  information  to  be  leaked  to  the  world,  but  experts  say  a  recently 
disclosed  Windows  8  privacy  issue  is  really  a  non-issue. 

Microsoft’s  Windows  8,  which  connects  its  users  with  networks 
including  Facebook,  Flickr,  Twitter,  Linkedln,  Hotmail,  Gmail  and 
Exchange,  leaves  a  “lingering  cache  of  automati¬ 
cally  collected  contacts  [that]  are  stored  unen¬ 
crypted  on  a  Windows  8  client,”  reports  Woody 
Leonhard  of  InfoWorld,  a  sister  publication  to  CSO. 

“[Windows  8]  doesn’t  build  its  contacts  list 
dynamically,"  Leonhard  reported.  “Instead,  it  keeps 
a  cache  of  contacts  from  all  of  those  sources  stored 
on  the  machine.  The  cache  persists  even  when  the 
user  logs  off  or  the  machine  is  turned  off. 

“That  means  anyone  who  can  sign  on  to  your 
PC  with  an  administrator  account  can  see  all  of  your  contacts  and  all 
of  their  data-names,  email  addresses,  pictures,  telephone  numbers, 
addresses,”  he  wrote. 

Leonhard  said  he  found  out  about  this  from  a  white  paper  by  George 


Washington  University  graduate  student  Amanda  Thomson,  at  a  blog 
called  Propeller  Head  Forensics.  He  said  while  the  contact  information  is 
“stored  away  in  an  appropriately  obscure  format,  the  text  is  in  the  clear 
and  the  pictures  can  be  resurrected  fairly  easily.  Nothing’s  encrypted.” 

Michael  Cherry,  lead  analyst  of  operating  systems  at  analysis  firm 
Directions  on  Microsoft,  says  he  has  no  reason  to 
doubt  Thomson’s  findings.  But  he  says  this  is  far 
from  a  meltdown  in  Microsoft’s  decade-long  effort 
to  improve  its  security  and  privacy. 

The  first  and  most  important  mitigating  factor, 
he  says,  is  that  this  is  a  beta  version  of  Windows 
8-a  release  preview.  While  it  is  in  wide  use,  “the 
point  is  that  this  is  the  kind  of  thing  they  are  look¬ 
ing  for.” 

“My  sense  is  that  Microsoft  will  take  some  steps 
to  remedy  any  issues,  but  in  the  area  of  privacy,  the  remedy  may  simply 
be  to  tell  people  that  their  information  is  shared  among  the  services,” 
he  told  CSO. 

-Taylor  Armerding 


14  www.csoonline.com  June  2012 


Illustration  by  Carl  Spackler 


MOBILE 

Android  Malware 
Masks  Online  Fraud 

NotCompatible  downloads  automatically  from 
infected  websites,  a  new  attack  vector  for  Android 

Android  malware  that’s  being  automatically  distributed  from 
hacked  websites  looks  like  it’s  being  used  to  mask  online  pur¬ 
chases,  and  could  be  part  of  a  fraud  gang’s  new  push  into  mobile, 
researchers  say. 

“The  malware  essentially  turns  your  Android  phone  into  a  tunnel  that 
can  bounce  network  traffic  off  your  phone,”  says  Kevin  Mahaffey,  co¬ 
founder  and  CTO  of  Lookout  Security,  an  Android-focused  firm. 

Lookout  first  published  information  about  the  new  malware,  dubbed 
NotCompatible,  last  month.  Further  analysis  has  revealed  the  most 
likely  reason  that  cybercriminals  are  spreading  the  malware. 

“There  are  a  couple  of  ways  they  can  profit  from  this,”  says  Mahaffey. 
“One  is  general  online  fraud,  the  other  is  targeted  attacks  against  enter¬ 
prises.  We  haven’t  seen  any  evidence  [of  the  latter],  and  have  confirmed 
that  it  is  engaged  in  online  purchasing  activity.” 

Once  installed,  NotCompatible  turns  an  infected  Android  device 
into  a  proxy  through  which  hackers  can  direct  data  packets,  disguis¬ 
ing  the  real  source  of  that  traffic  by  using  the  compromised  devices  as 
middlemen. 

Lookout  has  monitored  traffic  from  NotCompatible-infected  Android 
devices  and  discovered  that  they  were  used  to  purchase  tickets  via 
TicketMaster,  for  example,  as  well  as  other  goods  and  services. 

It’s  almost  certain  that  the  controllers  of  NotCompatible  are  using 
stolen  credit  cards  to  purchase  products,  says  Mahaffey:  There’s  little 
reason  to  divert  traffic  through  a  proxy  if  the  purchases  are  legitimate. 

NotCompatible  uses  a  never-before-seen-on-Android  attack  vector, 
Mahaffey  and  other  security  experts  say.  “This  is  the  first  time  that 
[attackers]  have  used  legitimate  websites  to  serve  Android  malware," 


says  Mahaffey.  “That’s  what  caught  our  eye...We  see  Android  malware  all 
the  time,  but  it’s  usually  served  using  social  engineering.” 

Mahaffey  is  referring  to  the  tactic  of  enticing  users  to  download  and 
install  Trojan  horses  posing  as  legitimate  apps. 

When  Android  phones  or  tablets  navigate  to  a  compromised  website, 
the  devices  are  shunted  to  hacker-controlled  servers,  which  then  auto¬ 
matically  download  NotCompatible.  The  malware  poses  as  a  security 
update  and  asks  the  user  to  approve  the  installation. 

While  some  media  reports  have  characterized  NotCompatible  as  a 
drive-by  attack,  that’s  not  entirely  accurate,  say  both  Mahaffey  and  Liam 
0  Murchu,  manager  of  operations  with  Symantec’s  security  response 
team,  which  has  also  dug  into  NotCompatible.  The  term  “drive-by”  typi¬ 
cally  describes  attacks  that  are  automatically  triggered  as  soon  as  a 
user  views  an  infected  website,  and  rely  on  unpatched  vulnerabilities  to 
install  malware. 

That’s  not  the  case  with  NotCompatible,  which  requires  some  help 
from  the  user  to  be  installed,  even  though  it’s  downloaded  automati¬ 
cally.  NotCompatible  does  not  exploit  an  Android  vulnerability. 

Only  devices  that  allow  app  installation  from  unknown  sources-in 
other  words,  from  sites  or  e-markets  beyond  the  official  Google  Play  app 
store-are  susceptible  to  infection,  say  Lookout  and  Symantec. 

Such  installations,  called  sideloading,  are  often  a  trait  of  corporate- 
owned  or  -managed  devices,  since  that  setting  allows  IT  administrators- 
or  employees,  for  that  matter-download  and  install  company-designed 
apps. 

That  was  one  of  the  reasons  Lookout  first  suspected  that  the  mal¬ 
ware  was  targeting  enterprises,  perhaps  using  the  Android  proxies  as 
a  way  to  conduct  reconnaissance  of  corporate  resources,  or  even  using 
them  to  transfer  stolen  data  from  hacked  businesses. 

Lookout  and  Symantec  disagree  on  the  number  of  compromised 
sites  that  were  redirecting  users  to  servers  offering  NotCompatible. 

Mahaffey  says  that  Lookout  had  only  confirmed  the  existence  of 
“tens  of  sites”  infected  with  the  rogue  element  that  redirected  devices  to 
the  malware-hosting  servers.  However,  he  says  that  there  is  a  far  larger 
number  of  sites  that  showed  signs  of  infection;  Mahaffey  declined  to 
estimate  the  number  of  the  latter. 

In  a  separate  interview,  Symantec’s  0  Murchu  put  the  number  of 
compromised  sites  at  around  1,000. 

Both  experts  say  that  the  hacker-operated  servers  that  were  the 
source  of  NotCompatible  have  been  taken  offline. 

For  Mahaffey,  the  NotCompatible  campaign  is  yet  another  sign  of  the 
continued  evolution  in  mobile  hacking  and  malware,  which  has  become 
increasingly  aggressive  and  sophisticated  of  late.  “Mobile  malware  is 
exiting  the  test  stage,”  Mahaffey  argues.  “[Cybercriminals]  who  have 
been  doing  this  kind  of  thing  for  years  on  the  PC  have  been  shifting  to 
mobile.” 

As  proof,  Mahaffey  cites  Lookout’s  suspicion  that  a  single  player  was 
not  behind  NotCompatible,  but  that  instead  it  was  the  coordinated  work 
of  multiple  groups,  each  responsible  for  a  part  of  the  attack  and  the 
malware’s  underlying  profit-making  infrastructure. 

“[NotCompatible’s  makers]  may  be  selling  some  sort  of  online  proxy 
service  to  others,”  Mahaffey  says.  “Those  using  these  Android  proxies 
may  not  even  know  what  [the  hackers]  are  doing.” 

Mahaffey  says  the  NotCompatible  code  is  “well-written  and  very 
stable.  It’s  engineered  very  well,  which  is  fairly  different  from  most 
Android  malware.”  -Gregg  Keizer 


Photo  by  Scott  Akerman 


June  2012  www.csoonline.com  is 


TACTICS 


By  Elisabeth  Horwitt 


The  New  Perimeter 


CSOs  are  mixing  an  assortment  of  technologies,  approaches  and 
policies  to  shore  up  defenses  on  the  changing  corporate  boundary 


Back  in  2008,  guarding  Motoro¬ 
la’s  perimeter  was  a  lot  simpler 
than  it  is  today,  recalls  Paul 
Carugati,  the  company’s  infor¬ 
mation  security  architect.  “It 
was  OK  to  just  open  up  [firewall]  port  480 
[to  network  traffic],  because  we  knew  that 
everything  that  ran  over  it  was  HTTP,”  he 
says.  But  with  the  rapid  growth  of  Web  2.0 
applications,  e-commerce  environments 
and  cloud  services,  he  adds,  “in  2010,  that 
wasn’t  so  true;  in  2011,  it  wasn’t  true  at  all.” 

Management  was  continually  ques¬ 
tioning  Carugati  about  the  risk  exposure 
related  to  a  critical  service  or  a  social  media 
environment,  and  the  possibility  of  infiltra¬ 
tion  of  the  company’s  data  through  social 
media.  Motorola’s  then-current  firewall 
technology  could  trace  users’  IP  addresses, 
but  it  could  not  track  applications  and  so 
was  unable  to  monitor  which  ones  were 
exposed. 

To  address  the  issue,  Motorola’s  secu¬ 
rity  department  added  a  next-generation 
firewall  (NGFW)  to  its  perimeter  defense 
mix.  In  addition  to  traditional  Level  3  and 
4  firewall  security,  the  platform  can  track 
outgoing  and  incoming  traffic  at  the  appli¬ 
cation  level.  This  has  brought  huge  gains  in 
visibility,  control  and  enforcement,  Caru¬ 
gati  reports.  Now,  it’s  clear  “which  apps  are 
flowing  through  that  egress  environment, 
including  apps  we  thought  we  weren’t 
allowing  outbound  and  ones  we  didn’t 


know  about,”  he  says. 

That  visibility  enables  the  security  team 
to  enforce  far  more  granular  security  poli¬ 
cies  at  the  application  level,  rather  than  at 
the  network  protocol  and  port  levels.  Fur¬ 
thermore,  management  can  now  draw  a 
far  more  accurate  picture  of  the  company’s 
social  network  presence  and  interactions, 
for  risk  assessment  and  compliance  with 


regulations  such  as  PCI  DSS,  Carugati  says. 

NGFWs  are  just  one  way  in  which  com¬ 
panies  are  revamping  their  defenses  in 
response  to  new  threat  vectors  that  have 
grown  out  of  businesses’  growing  use 
of  and  dependency  on  Web  applications, 
social  media,  cloud  computing,  virtualiza¬ 
tion,  wireless  networks  and  mobile  devices. 
These  technologies  continue  to  change  the 


16  www.csoonline.com  June  2012 


Illustration  by  John  Weber 


fundamental  nature  of  business  computing 
and  communications. 

As  a  result,  the  corporate  boundary 
has  become  increasingly  porous  and  dif¬ 
ficult  to  define-some  would  even  contend 
that  it’s  nonexistent-rendering  traditional 
notions  of  “protecting  the  perimeter”  obso¬ 
lete.  Not  that  companies  like  Motorola  have 
jettisoned  traditional  defenses,  such  as 
legacy  firewalls,  intrusion-prevention  and 
-detection  systems,  antivirus  and  antispam 
programs,  VPNs,  and  the  like.  Rather,  they 
have  started  looking  at  perimeter  defense  in 
a  more  multileveled,  multilayered  way. 

A  Multilayered  Defense 

Industry  experts  advise  CSOs  to  take  a 
defense-in-depth  approach  that  deploys 
multiple  layers  of  security,  so  that  malware 
and  other  threats  that  slip  by  the  first  line 
of  defense  get  caught  by  the  second  or  third. 

That  means  going  well  beyond  tradi¬ 
tional  perimeter  defenses-namely,  net¬ 
work  firewalls-which  monitor  and  control 
traffic  on  the  basis  of  source  and  destina¬ 
tion  IP  addresses,  network  protocols  and 
port  numbers.  That  leaves  them  incapable 
of  defending  against  the  60  percent  to  70 
percent  of  attacks  that  now  occur  at  the 
application  level,  according  to  Jon  Oltsik, 
senior  principal  analyst  at  Enterprise  Strat¬ 
egies  Group. 

For  example,  a  network  firewall  can 
accept  HTTPS  traffic  and  block  HTTP 
traffic  from  the  Internet  to  a  Web  server. 
Without  app  awareness,  however,  it  cannot 
distinguish  between  customer  and  hacker 
HTTPS  traffic,  Oltsik  says.  Savvy  CSOs 
are  bolstering  this  first  line  of  defense  with 
technologies  such  as  NGFWs  and  Web 
application  firewalls  (WAFs),  which  can 
perform  deep-packet  inspection  and  iden¬ 
tify  known  hacker  signatures  and  abnor¬ 
mal  behavior. 

NGFWs  typically  monitor  inbound 
and  outbound  enterprise  traffic,  identify¬ 
ing  malware  that  may  be  riding  on  top  of  a 
trusted  link,  as  well  as  app-level  end  user 
activities  that  are  inappropriate,  risky  or 
prohibited.  WAFs  specifically  monitor  traf¬ 
fic  between  Web  clients  and  servers. 

Polk,  a  leading  provider  of  data  and 
marketing  services  for  the  auto  industry, 
has  supplemented  its  traditional  firewall 
with  F5  Networks’  Big-IP  Application 
Security  Manager.  The  WAF  protects  Web 


servers  from  common  app-level  attacks 
such  as  SQL  injection,  says  Ethan  Steiger, 
the  company’s  CSO.  This  has  saved  the 
company  from  the  expense  of  redeveloping 
a  number  of  Web  apps  with  known  code- 
related  vulnerabilities. 

NGFWs  and  WAFs  can  also  help  with 
one  of  the  biggest  headaches  for  CSOs:  the 
threat  of  hackers  using  social  engineer¬ 
ing  and  other  techniques  to  exploit  trusted 
sources  such  as  employees,  partners  and 
customers  who  have  access  rights  to  sensi¬ 
tive  portions  of  the  corporate  network. 

The  growing  use  of  mobile  devices  and 
the  social  Web  for  business  purposes  has 
greatly  exacerbated  this  problem,  industry 
experts  agree.  Once  a  hacker  gains  access 
to  an  employee’s  client  device,  “all  of  sud¬ 
den  you’ve  got  malware  or  a  bot  trying  to 
communicate  via  an  established  connec¬ 
tion,  back  out  through  your  perimeter”  to 
the  hacker’s  control  center,  says  Andrew 
McCullough,  manager  of  information  secu¬ 
rity  for  hotel  chain  operator  Accor  North 
America. 

Accor’s  security  team  deployed  an 
NGFW  five  years  ago,  when  application- 
level  attacks  first  started  showing  up, 
McCullough  says.  While  such  attacks  were 
infrequent  back  then,  their  number  “has 
gone  through  the  roof”  in  the  past  year  or 
two,  he  says. 

An  NGFW’s  ability  to  enforce  security 
policies  on  a  granular  level  is  critical,  given 
business  users’  growing  dependence  on  the 
Web,  and  social  networking  in  particular, 
Oltsik  says.  “A  lot  of  people  see  [perimeter 
security]  as  an  ingress  problem,  malware 
arriving  on  incoming  traffic,”  he  says.  At 
least  as  important,  though,  is  determin¬ 
ing  which  websites  users  are  visiting  and 
whether  they  are  known  malware-dis¬ 
tribution  or  command-and-control  sites, 
McCullough  says. 

Rather  than  deny,  say,  the  marketing 
group  all  access  to  Facebook,  companies 
can  use  an  NGFW  to  limit  access  to  those 
apps  that  business  users  consider  to  be 
critical  to  their  jobs,  Oltsik  says.  “That’s  a 
perfect  intersection  of  supporting  and  pro¬ 
tecting  business.” 

McCullough  agrees.  “Our  marketing, 
purchasing  and  HR  teams  all  use  Facebook 
now,  often  for  very  valid  reasons,”  he  says. 
Rather  than  trying  to  block  employees  from 
using  Web-based  applications  with  proven 


business  value,  “our  job  is  to  wrap  controls 
around  those  apps,  so  they  can  be  used 
with  as  little  risk  as  possible.” 

Too  Many  Eggs  in  One  Basket? 

Most  leading  NGFW  vendors,  including 
Check  Point  Software  Technologies,  Palo 
Alto  Networks,  Juniper  Networks,  Fortinet, 
F5  and,  most  recently,  Cisco,  combine  tra¬ 
ditional  stateful  firewall  capabilities  with 
a  range  of  other  functions,  such  as  appli¬ 
cation-aware  traffic  monitoring,  intrusion 
prevention  and  data  loss  prevention. 

These  multifunctional  security  gate¬ 
ways  are  considered  either  synonymous 
with  or  a  subset  of  unified  threat  mitigation 
(UTM),  depending  on  whom  you  ask.  The 
basic  concept  is  the  same:  instead  of  pur¬ 
chasing,  deploying  and  managing  various 
perimeter  defense  mechanisms  on  separate 
appliances,  a  company  can  deploy  a  multi¬ 
layered  security  strategy  on  a  single  hard¬ 
ware  platform. 

The  main  advantage  of  taking  the  UTM 
route  is  cost  savings,  sources  agree.  Prod¬ 
ucts  that  are  designed  to  handle  one  secu¬ 
rity  function  tend  to  be  quite  expensive,  says 
Accor’s  McCullough.  Intrusion-protection 
systems  for  a  small  organization  can  eas¬ 
ily  cost  $10,000  or  $20,000  a  year,  and  for 
a  large  enterprise,  annual  costs  can  reach  a 
quarter  of  a  million  dollars,  he  says.  In  con¬ 
trast,  that  capability  on  an  NGFW  platform 
would  be  about  $20,000  a  year,  according  to 
McCullough. 

Still,  many  CSOs  remain  leery  of  a  sin¬ 
gle-vendor  perimeter  solution.  Gartner’s 
2011  “Magic  Quadrant  for  Enterprise  Net¬ 
work  Firewalls”  report  found  that  less  than 
5  percent  of  Internet  connections  were  cur¬ 
rently  secured  using  NGFWs.  That  number 
will  rise  to  5  percent  of  the  installed  base, 
and  60  percent  of  new  purchases  by  2014, 
the  report  predicts. 

Holding  some  CSOs  back  from  taking 
the  plunge  is  the  cost  of  writing  off  legacy 
perimeter  security  devices.  “Our  infra¬ 
structure  is  incredibly  expensive;  it  doesn’t 
make  business  sense  to  replace  it  whole¬ 
sale,”  says  McCullough.  Rather,  his  team  is 
taking  it  slow,  testing  devices  and  planning 
to  replace  one  existing  set  of  firewalls  with 
a  more  advanced  product  over  the  next  year. 

Going  with  one  vendor’s  all-in-one 
solution  often  means  sacrificing  function¬ 
ality  for  cost  savings,  McCullough  adds. 


June  2012  www.csoonline.com  17 


>>  TOOLBOX 


“You  don’t  get  the  best  in  class,  in  my  opin¬ 
ion,”  he  says.  Accor  purchases  its  antispam 
and  antivirus  products  from  specialized 
vendors. 

Furthermore,  once  the  device  starts 
looking  into  the  actual  content  of  packets, 
“you  need  a  beefier  box,”  says  Eric  Mai- 
wald,  a  research  vice  president  at  Gartner. 
“Add  anti-malware  and  attack  signatures, 
then  DLP,  and  you  need  even  more  power.” 
That’s  why  UTM  devices  work  best  in  loca¬ 
tions  where  throughput  requirements  are 
lower,  such  as  small  companies  and  branch 
offices,  he  adds. 

“When  you  talk  about  front-ending  a 
bandwidth-heavy  location  like  a  data  center, 
you  usually  need  to  have  separate  devices 
for  different  functions,”  Maiwald  says. 

Accor’s  NGFW  runs  on  a  hefty  hard¬ 
ware  platform,  but  the  company  has  had 
to  “take  some  very  serious  jumps  [in  capac¬ 
ity]  in  a  very  short  time,  in  order  to  keep  up 
with  demand,”  says  McCullough.  The  hotel 
chain  uses  one  type  of  perimeter  device 
with  cut-and-dried  access-control  rules 
for  the  transport  VPN,  and  a  second  one  to 
enforce  granular  app-based  security  rules 
for  traffic  going  to  and  from  the  data  center, 
McCullough  says. 

Accor  is  likely  to  remain  a  multivendor 
shop  for  the  foreseeable  future,  according 
to  McCullough.  “We  never  want  to  get  to 
the  point  of  using  a  single  perimeter  secu¬ 
rity  device;  we  want  a  mesh  of  products.” 
While  this  means  complexity,  and  poten¬ 
tially  more  administrative  headaches,  the 
benefits  include  increased  assurance  and 
risk  reduction.  “A  hacker  that  bypasses 
firewall  vendor  A  gets  stopped  by  vendor 
B,”  he  says. 

Virtual  Data  Centers, 

Virtual  Firewalls? 

Virtualization  of  the  data  center  has 
“thrown  an  interesting  wrench  into  the 
perimeter  security  works,”  says  Gartner’s 
Maiwald.  Different  levels  of  trust  can  exist 
on  the  same  physical  server,  and  conversely, 
virtualized  applications  can  run  on  differ¬ 
ent  virtual  machines  that  reside  on  physical 
servers  in  different  security  zones. 

Virtual  server  vendors  like  VMware,  as 
well  as  leading  NGFW  vendors,  now  offer 
“virtual  security  controls”  that  create  a  “vir¬ 
tual  perimeter  behind  the  physical  perim¬ 
eter,”  says  Oltsik  of  Enterprise  Strategy 


Group.  Such  products  can  be  configured 
to  control  access  across  security  zones  in  a 
virtualized  environment. 

However,  Oltsik  says  his  company’s 
research  shows  that  many  security  and 
IT  staffs  are  still  learning  how  to  use  such 
tools.  Among  the  issues  they  face  is  how  to 
segment  the  two  types  of  networks  to  make 
sure  physical  and  virtual  security  devices 
are  working  in  sync.  Another  is  how  to 
enforce  security  policies  when  applications 
and  virtual  machines  keep  moving  from 
server  to  server. 

Still,  some  enterprise  CSOs  are 
starting  to  make  good  use  of  such  tools. 
McCullough’s  team  recently  moved  criti¬ 
cal  applications  into  Accor’s  data  center, 
where  a  virtualized  firewall  provides  “the 
same  protection  as  the  perimeter,  including 
the  same  level  of  app  awareness  and  control 
and  threat  prevention,”  he  says. 

There  are  two  main  perimeter  defense 
strategies  for  virtualized  environments, 
each  with  trade-offs,  according  to  Gartner’s 
Maiwald.  The  first  is  to  compress  all  zones 
into  a  single  virtual  environment.  This 
provides  the  most  resource  allocation  flex¬ 
ibility  but  eliminates  cross-zone  security, 
which  is  not  ideal  from  a  risk-management 
perspective. 

The  alternative  is  to  make  each  zone 
its  own  virtual  environment.  This  allows 
companies  to  keep  existing  firewall  mecha¬ 
nisms  and  is  the  best  choice  for  risk  man¬ 
agement,  Maiwald  says.  The  downside  is 
that  flexible  resource  allocation,  which 
provides  the  bulk  of  virtualization’s  cost 
savings,  is  limited  to  servers  within  a  given 
zone,  he  says. 

At  Polk,  for  example,  “We  try  to  treat 
our  virtual  hosts  with  the  same  level  of 
control  as  our  physical  hosts,”  says  Stei¬ 
ger.  “This  has  meant  moving  intrusion 
prevention  within  the  virtual  network,  so 
to  speak,”  and  limiting  movement  between 
some  virtual  hosts. 

The  company  still  gets  direct  value 
from  its  virtualization  strategy,  just  not  as 
much  as  would  be  possible  without  these 
safeguards. 

Making  and 
Managing  the  Rules 

Keeping  up  with  the  ever-changing  threat 
landscape  is  another  major  issue  for  com¬ 
panies  working  to  protect  the  perimeter. 


While  leading  NGFW  platforms  come  with 
tools  for  auditing  and  updating  security 
rules  and  monitoring  security  events  from  a 
central  console,  most  businesses  currently 
have  a  mix  of  perimeter  security  products, 
not  to  mention  network  devices,  which  can 
make  administering  those  policies  a  major 
headache. 

Adding  app  awareness  to  the  mix  makes 
the  task  that  much  more  complex  and  ardu¬ 
ous,  industry  experts  agree.  “You  want  the 
ability  to  make  granular  access  decisions  on 
an  app-by-app  basis,”  says  Oltsik.  Further¬ 
more,  policies  have  to  be  regularly  updated 
in  order  to  keep  up  with  major  new  social 
media  services  and  apps,  which  show  up  on 
a  daily  basis.  If  your  firewall  sees  these  new 
entries  as  generic  traffic,  it  cannot  control 
them,  Oltsik  points  out. 

Companies  are  increasingly  turning 
to  third-party  policy  administration  tools 
from  vendors  such  as  FireMon,  RedSeal 
and  Skybox  Security.  RedSeal’s  risk-assess¬ 
ment  and  policy- administration  software 
scans  for  vulnerabilities  and  monitors 
the  rules  and  configurations  across  Polk’s 
collection  of  firewalls,  network  switches 
and  routers,  says  Steiger.  “It  also  helps  us 
implement  policies  consistently  across  the 
network  perimeter,  according  to  best  secu¬ 
rity  and  business  practices.” 

“FireMon  lets  us  track  changes  on 
various  vendors’  devices  and  monitor 
compliance  from  a  unified  system,”  says 
McCullough.  This  is  especially  key  given 
that  the  security  team  at  Accor’s  parent 
company  has  occasionally  made  changes 
to  the  division’s  perimeter  security  policies 
without  notifying  McCullough’s  staff  first. 
On  one  occasion,  this  resulted  in  several 
hours  of  network  downtime,  he  reports. 
“Now  when  a  change  happens,  FireMon 
immediately  alerts  us  and  allows  us  to  trace 
it  back  to  the  source.” 

FireMon  also  helped  Accor  tackle  the 
huge  task  of  rewriting  its  entire  security 
rule  base.  “We  found  rules  that  were  eight 
or  to  years  old,  whose  owners  weren’t 
around  anymore,”  McCullough  says.  Other 
rules  were  invoked  only  once  every  couple 
of  months,  but  those  times  were  important, 
he  says.  ■ 


Elisabeth  Horwitt  is  a  freelance  writer  based  in 
Massachusetts.  Send  feedback  to  Editor  Derek 
Slater  at  dslater@cxo.com. 


18  www.csoonline.com  June  2012 


Are  you  prepared  to  face  what’s  next?  # 

Every  day,  new  threats  arise  from  unexpected  sources— cyber  attacks  on  cloud  data,  violence  in  the 
workplace,  even  a  pandemic  that  threatens  lives  and  commerce.  If  you  are  responsible  for  protecting 
your  organization’s  human,  logical,  or  physical  assets,  you  can’t  afford  to  miss  ASIS  2012.  It  is  here 
that  you’ll  discover  what’s  changed,  what  works,  and  most  importantly,  what’s  next. 

The  conversation  will  focus  on  real-world  results:  how  to  face  down  challenges,  maintain  strategic 
growth,  and  profit  in  any  economy,  in  any  threat  environment.  Through  focused  education,  meaningful 
connections,  and  innovative  product  and  service  solutions,  you’ll  find  fresh  insights  and  actionable 
ideas  you  can  use  immediately.  Plan  now  to  join  more  than  20,000  top  professionals  at  the  world’s 
most  influential  gathering  focused  on  driving  security’s  future.  Visit  www.asis2012.org  today. 


ASIS  2012  FEATURES: 


•  700+  top  manufacturers  and  service  providers 

•  Unparalleled  networking  opportunities 

•  Comprehensive,  high-caliber  education  program  (200+  sessions) 

•  Free  exhibits-only  admission  when  you  register  in  advance! 


Colocated  event:  (ISC)2  Security  Congress 


REGISTER  NOW 

for  the  #1  show  in  the  security  industry! 


ASIS  INTERNATIONAL 

58TH  ANNUAL  SEMINAR  AND  EXHIBITS 
September  10-13,  2012  |  Philadelphia,  PA 


2012 


www.asis2012.org 


m**-:  £ 


20  www.csoonhne.com  June  2012 


COVER  STORY 


CAREER 


When 


I  Left 


Security 


Four  perspectives 
on  executive 
communication  from 
security  experts  who 
moved  on  to  other 
business  roles 

BY  MARY  BRANDEL 


NOW:  Director  of  global  program  deployment 
at  Avery  Dennison,  which  is  based  in  Hong 
Kong. 

THEN:  After  serving  in  the  military,  working 
as  a  policeman,  running  the  computer 
department  of  a  ski  hill  and  then  joining  a 
computer  startup,  Brown  moved  into  security 
at  Veritect,  where  he  was  a  consulting 
director  and  trainer.  He  joined  Avery 
Dennison  as  a  manager  of  network  security 
and  then  IT  director. 

Scott  Berinato 

NOW:  Senior  editor  at  Harvard  Business 
Review. 

THEN:  Berinato  helped  launch  CSO  magazine 
in  2002  after  covering  security,  technology 
and  business  topics  first  at  PC  Week,  then 
at  CIO  magazine.  His  in-depth  security 
coverage  won  him  numerous  national 
journalism  awards. 


John  Hartmann 

NOW:  CEO  at  Mitre  10,  a  retailer  in  New 
2ealand. 

THEN:  Hartmann  spent  the  first  10  years  of 
his  career  as  a  supervisory  special  agent  with 
1  the  FBI,  after  which  he  joined  Cardinal  Health 
as  vice  president  of  security.  He  moved  into 
an  information  security  risk  management 
role  at  Home  Depot,  after  which  he  served  in 
a  series  of  business  roles,  starting  with  long- 
range  strategic  planning  and  culminating 
with  the  role  of  COO  for  Home  Depot  Supply 
Electrical. 


■  MfP  . . 

, 


rat*]  wer 

'•  ^  100%  Locally 

%  owned  and  operated. 


IITRI  tO 


B«ftr 


L 

*<  *■> 

End  of  Story. 


Wx  toe* 

owned  end  op 


Scott  Blake 


Charlie  Brown  ^ 


NOW:  Runs  the  program  management  office 
at  Bangor  Savings  Bank  in  Maine. 

THEN:  Blake  started  as  a  network  security 
architect  at  Netegrity  and  then  became 
a  vice  president  of  information  security 
at  BindView  (now  owned  by  Symantec). 

After  serving  as  CISO  at  Liberty  Mutual,  he 
changed  paths  to  become  a  financial  adviser 
at  Wells  Fargo. 


; _ {*  i 

m f  i  V.- 


COVER  STORY  |  CAREER 


Much  has  been  said  about  the  great  divide  that  keeps  business 
leaders  from  truly  understanding  the  perspective  of  security 
professionals.  One  way  CSOs  can  close  that  gap  is  to  simply 
cross  to  the  other  side. 

We  found  four  professionals  who  did  just  that,  including  three  for¬ 
mer  CSOs  who  now  hold  other  business  roles  and  one  former  security 
journalist  who  is  an  editor  at  the  renowned  business  publication  Har¬ 
vard  Business  Review.  They  shared  with  us  their  new  perspectives  on 
how  they  view  security  and  risk  management  from  across  the  chasm. 


On  the  importance  of 
a  business  mind-set: 


Charlie  Brown:  When  I  first  moved  into  the 
business,  I  went  to  the  website  to  do  some 
research,  and  our  Web  filtering  software 
wouldn’t  let  me  go  to  Abercrombie  because 
it  identified  it  as  pornographic  material. 
Another  thing  it  wanted  to  block  was  “XXXL,” 
which  is  a  size  of  clothing,  so  it  kept  orders 
from  going  through. 

So  one  of  the  insights  I  would  offer  is 
to  really  understand  the  markets  you’re  in. 
Sixty  percent  of  the  volume  in  the  garment 
industry  comes  out  of  China  and  Asia.  You 
can’t  create  a  security  policy  if  you  don’t 
understand  what  the  great  firewall  of  China 
is  all  about  or  the  cultural  differences  of  how 
people  work  in  Indonesia  and  Bangladesh. 
You  can't  have  a  data  center  migration  policy 
if  you  don’t  understand  people  in  some 
countries  work  Saturdays,  don’t  work  Fridays 
and  don’t  celebrate  Christmas. 

John  Hartmann:  If  I  could  change  one  thing 
about  my  career  before  transitioning  into 


the  business,  I  would  have  spent  more  time 
understanding  the  inner  workings  of  how  the 
business  made  money.  Every  company  has  a 
different  business  model  and  a  different  way 
of  being  profitable.  Understanding  that  profit 
model  will  give  you  a  more  balanced  perspec¬ 
tive  around  how  you  make  proposals  and 
position  important  initiatives,  whether  it’s 
information  protection  or  computer  security 
or  business  continuity.  It  will  help  you  think 
more  broadly  about  what  solution  should  be 
pursued  and  how  you  should  implement  it  in 
a  cost-effective  way. 

On  what  “networking” 
really  means: 

Scott  Blake:  What  l  understand  better  now¬ 
and  wish  I  understood  better  as  CISO-was 
the  importance  of  networking.  I  thought  I 
understood  it,  but  not  as  well  as  I  do  now,  and 
the  time  I  spent  being  a  financial  adviser  was 
incredibly  helpful  for  that.  Security  and  IT 
people  tend  to  be  very  analytic,  and  we  tend 
to  want  to  persuade  with  facts  and  data.  But 
getting  a  client  to  understand  what  they  need 
to  do  to  secure  their  financial  future  is  a  very 
emotional  thing  for  them,  and  the  same  is 
true  in  the  information  security  world.  You 
need  to  make  an  analytical  connection,  but 
you  also  need  that  emotional  connection.  If 
I’d  known  that  when  I  was  a  CISO,  I  would 
have  done  a  lot  more  networking  and  paid  a 
lot  more  attention  to  the  emotional  piece  of 
the  case  I  was  trying  to  make. 

On  understanding 
business  leaders: 

Scott  Berlnato:  I  now  realize  that  business 
leaders  are  consumed  with  so  many  responsi¬ 


bilities  that  you’d  be  lucky  to  get  six  minutes 
of  their  time.  I’m  not  saying  it’s  impossible  to 
get  business  execs  to  hear  what  you’re  saying 
about  risk,  but  it’s  become  more  clear  to  me 
why  the  disconnect  exists  and  will  continue 
to.  There’s  no  secret  formula  that  will  get 
CEOs  to  understand,  care  about  and  consis¬ 
tently  consider  what  are-to  them-remote, 
vague  threats.  If  it’s  not  an  immediate  threat, 
it’s  hard  for  them  to  focus  on  it. 

I’ve  learned  this  is  not  something  that 
will  be  fixed  or  overcome-it’s  just  something 
that  has  to  be  managed.  The  best  you  should 
hope  for  is  an  executive  who  will  empower 
you  to  be  a  strategic  part  of  the  organization 
and  will  actually  give  you  the  floor  to  talk 
about  what  you  need  to  talk  about.  People 
trust  leaders,  so  the  most  effective  thing  a 
leader  can  do  is  show  people,  “Hey,  this  stuff 
matters.”  That’s  more  powerful  than  trying 
to  get  them  to  understand  in  detail  how 
online  threats  work. 

That  has  shifted  my  thinking  from  try¬ 
ing  to  effect  a  massive  culture  change  so 
everyone  is  thinking  about  security  all  the 
time,  to  realizing  that  that’s  impossible.  What 
is  possible  is  being  able  to  communicate  on  a 
regular  basis  with  the  right  people. 

Blake:  It’s  very  difficult  to  communicate  at 
scale.  It’s  much  more  effective  to  communi¬ 
cate  one-on-one.  With  my  financial  advising 
clients,  I  could  send  a  letter  out  and  some 
might  take  it  to  heart,  but  if  I  sat  down  with 
them,  it  would  have  a  significant  impact.  The 
same  is  true  when  you  navigate  corporate 
America.  The  security  department  can  send 
out  emails  all  day  long,  but  they  still  need  to 
make  individual  connections.  You  need  to 
convince  leaders  and  key  influencers  one-on- 
one,  who  can  pass  it  on  through  the  rest  of 
the  organization. 

A  mistake  some  CISOs  make  is  focusing 
just  on  the  CEO,  but  sometimes  it’s  more 
effective  to  convince  everyone  else  who  the 
CEO  listens  to.  Drawing  a  parallel  with  being 
a  financial  adviser,  a  lot  of  times  when  you’re 
dealing  with  a  couple,  often  one  will  defer  to 
the  other,  but  it’s  not  always  obvious  which  is 
which.  There  are  key  influencers  on  the  other 
side  of  the  table,  and  being  able  to  influence 
them  is  key  to  being  convincing. 

Brown:  There’s  a  different  dynamic  when 
you’re  working  in  the  business  versus  for  the 
corporate  entity.  In  the  business,  you’re  deal¬ 
ing  with  budgets  and  outages  and  screaming 


22  www.csoonline.com  June  2012 


Photography  on  previous  page,  counterclockwise  from  top  left: 
Jason  Smith;  Charlie  Brown;  Christina  Hollins;  Steve  Traynor 


customers.  When  I  take  somebody  from 
corporate  with  a  $100,000  pet  project  out  to 
the  manufacturing  floor  and  show  them  how 
many  tags  and  labels  we  need  to  make  to 
make  $100,000  in  profit,  it  blows  them  away. 

On  knowing  end  users: 

Brown:  Security  starts  with  the  end  user- 
that,  by  far,  is  the  weakest  link,  with  the 
proliferation  of  passwords  and  end  users 
not  educated  about  what  makes  a  computer 
and  network  secure.  So  to  get  on  their  radar, 

I  would  focus  on  leveraging  automated  or 
long-distance  training  through  quick,  five- 
minute  webinars  or  infomercials,  with  one  or 
two  key  bullets  of,  “This  is  what  we’re  talking 
about  this  week.  Let’s  do  this  thing  really  well 
next  month.”  It  could  be  about  passwords, 
secure  use  of  wireless,  paying  attention  to 
who  you  friend  on  Facebook,  thinking  before 
you  double-click  on  that  attachment  and 
what  to  do  if  you  think  something  is  fishy. 

Information  security  isn’t  100  people- 
it’s  three,  four,  five,  15  key  people  in  the 
organization.  You  need  to  think  about  how  to 
leverage  their  expertise,  get  them  in  front  of 
the  end  users  in  an  enticing  way  so  you’re  not 
offending  but  embracing  them. 

Blake:  Security  professionals  tend  to 
gravitate  toward  a  cartoonish  vision  of  end 
users-that  they’re  not  competent  or  they 


\] 


don’t  understand  technology.  But  that’s 
not  true-they  do  understand  the  need  for 
security,  but  they  chafe  against  it  when  they 
don’t  see  the  value  or  can’t  do  something 
they  want.  It’s  more  of  an  education  issue 
than  anything  else. 

Users  have  a  desire  to  do  the  right  thing. 
They  don’t  want  to  put  the  company  at  risk, 
but  they  need  to  get  their  job  done,  and  that's 


their  first  priority.  So  security  professionals 
need  to  make  sure  things  are  as  easy  as  they 
could  possibly  be-not  because  it  improves 
compliance,  but  because  it  improves  users’ 
ability  to  do  the  right  thing,  which  is  what 
they  already  want  to  do.  The  discussion 
needs  to  be,  “Here’s  how  you  can  do  what  you 
need  to  do  in  the  right  way.”  It’s  not,  “Don’t 
send  confidential  information  in  an  email,” 
but,  “Here’s  how  you  can  communicate  that 
information  in  a  secure  manner.” 

On  balancing 
risk  and  cost: 

Hartmann:  Business  isn’t  black-and-white. 
You  need  to  strike  a  balance  between  what’s 
required  to  protect  the  business  and  running 
the  business  in  a  cost-effective  way.  A  perfect 
example  is  how,  after  9/11,  disaster  recovery 
and  business  continuity  planning  got  a  whole 
new  focus,  and  many  companies  learned 
from  those  discussions  about  the  balance 
between  running  a  business  and  thinking 
about  the  many  issues  they  could  face  that 
we  didn’t  think  about  before.  Many  compa¬ 
nies  have  made  disaster  recovery  planning 
an  annual  part  of  their  risk  assessment,  while 
for  professionals  involved  in  this  type  of  work, 
it’s  part  of  their  daily  responsibility. 

Brown:  You  need  to  provide  insight  and 
leadership  along  the  lines  of,  “If  you  want 
to  be  100  percent  protected,  it  will  cost  $10 
million,  but  for  reasonable  protection,  this  is 
what  we  need  to  do,  these  are  the  gaps  to  fill.” 

On  whether  to  buy 
that  security  tool: 

Brown:  Make  sure  you’ve  signed  up  for 
something  you  can  pull  off.  Many  companies 
have  these  gadgets-intrusion  protection 
and  detection,  wireless  security-that  may 
not  reap  all  the  benefits  they  initially  thought 
they  would.  You  put  in  an  intrusion  preven¬ 
tion  device  and  put  the  rules  on  it,  and  people 
complain  because  they  can’t  do  this  or  that, 
so  you  turn  off  a  lot  of  the  features.  You’re 
still  paying  maintenance  fees,  but  are  you 
using  it  to  do  what  you  bought  it  to  do? 

So,  don’t  rely  on  security  vendors  to 
provide  ROI  for  you.  Base  it  on  what  you 
believe  you  can  do  based  on  your  company’s 
culture,  your  team’s  capabilities,  your  team’s 
throughput.  A  lot  of  times,  you  can’t  get  the 


product’s  full  potential  because  you  just  have 
too  many  things  going  on. 

On  the  trend  toward  the 
consumerization  of  IT: 

Brown:  Bring-your-own-device  is  coming;  it’s 
a  given.  The  fact  is,  my  housekeeper  in  Hong 
Kong  has  a  newer  laptop  and  better  software 
than  I  have  on  my  business  computer.  Figure 
that  one  out  for  me.  The  challenge  is,  don’t 
invest  in  hardware  and  software;  allow  your 
employees  to  invest  in  that  and  leverage 
what  they  already  own.  Figure  out  how  to 
integrate  that  into  your  systems.  With  20,000 
employees,  $1,000  per  computer  and  $1,500 
per  software  license,  it’s  cost-prohibitive.  But 
if  you  allow  people  to  use  their  own  equip¬ 
ment,  I  guarantee  they  will  come  to  work  with 
the  latest  and  greatest.  This  means  putting  a 
stake  in  the  ground-having  a  crisp  and  clear 
policy  of,  this  is  the  device  we  are  supporting, 
so  you  can  build  an  app  and  send  it  out,  and 
it’s  done.  People  would  flock  to  it  because 
they’d  feel  empowered. 

On  whether  to  play  up 
the  fear,  uncertainty 
and  doubt  factor: 

Berinato:  The  ability  for  CSOs  and  senior 
security  executives  to  demonstrate  calm, 
commanding  leadership  is  more  important 
than  I  previously  thought.  People  in  security 
roles  naturally  adapt  to  a  crisis  mentality,  but 
if  something  is  happening  and  you’re  saying, 
“This  is  a  big  deal;  this  is  scary,”  it’s  not  good. 

A  threat  combined  with  a  lack  of  information 
causes  severe  stress  for  people. 

This  seems  to  come  naturally  in  the 
physical  security  world,  where  they  tend 
to  approach  problems  methodically  and 
analytically  and  come  up  with  a  plan,  and  if 
it  doesn’t  work,  come  up  with  another  plan. 
The  nature  of  the  information  security  threat 
is  more  amorphous  and  harder  to  control. 

Blake:  Selling  security  with  FUD  works,  but 
it’s  not  necessarily  the  best  way  to  do  it.  You 
can  also  emphasize  the  positive  things  secu¬ 
rity  can  do  for  a  business.  Having  seen  that 
security  is  top  of  mind  for  internal  clients  in 
the  financial  services  industry,  I  now  know 
that  I  should  have  looked  at  security  as  a 
service  provided  to  internal  customers,  a 
value  brought  to  the  table. 


June  2012  www.csoonline.com  23 


COVER  STORY  I  CAREER 


On  why  security  is 
more  important  now 
than  ever  before: 

Brown:  Looking  back,  I’m  more  paranoid 
about  security  now  than  I  was  back  then. 

We  didn’t  have  these  consolidated  hacker 
groups  like  Anonymous  that  wanted  to  prove 
their  point,  whether  to  GM,  the  Vatican  or 
whatever.  How  do  you  balance  your  security 
posture  when  at  any  moment,  you  could  be 
subject  to  someone  with  more  manpower 
and  time  than  you  have?  There’s  a  lot  of 
damage  that  an  external  group  can  do  to  a 
company  if  they  have  it  out  for  you.  They’re 
coming  at  it  from  a  specific  angle,  and 
it’s  difficult  to  anticipate  from  a  business 
standpoint. 

Hartmann:  Generally  speaking,  the  busi¬ 
ness  does  not  fully  understand  how  serious 
the  threat  is  to  the  critical  infrastructure,  net¬ 
work  data  and  proprietary  information  from 
foreign  governments,  foreign  companies, 
domestic  competitors  and  others  with  less 
than  legitimate  intentions.  Security  profes¬ 
sionals  need  to  continuously  educate  about 
these  risks  and  work  to  implement  balanced 
risk  mitigation  plans  and  tools. 

Berinato:  The  disconnect  between  the 
realities  of  security  and  the  pop  media  treat¬ 
ment  of  it  presents  a  challenge,  especially 
in  the  hacking  world.  All  of  that  is  very  real 


and  very  dangerous,  but  I  can’t  tell  you  the 
number  of  stories  I  read  in  respected  media 
outlets  that  dumb  down  or  misconstrue  the 
threat.  Ever  since  9/11,  security  has  become 
a  pop  culture  phenomenon.  There  are  lots  of 
popular  myths,  simplifications  and  ideas  that 
people  take  to  heart,  and  security  profession¬ 


I’m  more 
paranoid 
about 

security  now 
than  l  was 
back  then.” 

-Charlie  Brown, 
Director  of  Global 
Program  Deployment, 
Avery  Dennison 


als  have  to  understand  and  dismantle  these 
and  help  re-explain  things  in  the  right  way. 

On  why  security 
professionals  would 
enjoy  a  business  career: 

Hartmann:  Security-related  backgrounds 
provide  a  strong  foundation  for  working  in  a 
core  business  role.  Whether  it’s  an  inquisitive 
mind-set,  interacting  with  a  large  variety  of 


people  from  all  walks  of  life  or  keeping  an 
open  mind  to  how  the  story  might  unfold- 
these  are  skills  that  folks  with  security  back¬ 
grounds  have  that,  when  applied  correctly, 
pertain  to  the  business  itself.  To  this  very  day, 
I  draw  on  skills  and  techniques  I  learned  in 
my  early  career. 

Having  a  risk-averse  perspective  is  actu¬ 
ally  a  positive  thing  in  business.  As  long  as 
it’s  not  taken  to  the  extreme,  this  mind-set 
forces  you  to  come  at  something  from  dif¬ 
ferent  angles  to  reach  a  strong  conclusion.  If 
you’re  going  to  market  with  a  new  product  or 
approach,  asking  all  the  right  questions  will 
result  in  the  highest  possibility  of  success  for 
that  new  project. 

Brown:  You  don’t  get  the  short-term  wins  on 
the  security  and  technology  side  that  you  get 
on  the  business  side.  It’s  a  refreshing  place  to 
be.  There’s  not  a  week  that  goes  by  where  I’m 
not  negotiating  a  million-dollar  bid,  whether 
it’s  Abercrombie  calling,  or  Victoria  Secret 
wanting  neon  pink  thread,  or  I  need  to  make 
unicorns  appear,  immediately.  ■ 


Mary  Brandel  is  a  frequent  contributor  to 
CSO.  Send  feedback  to  editor  Derek  Slater  at 
dslater@cxo.eom. 


24  www.csoonline.com  June  2012 


EWF 


Alta  Associates’ 

Executive 
Womens  Forum 

Information  Security,  Risk  IVlanagement  S  Privacy 


October  2-4,  2012  Hyatt  Regency  at  Gainey  Ranch  Scottsdale,  AZ 


Managing  Current  &  Future  Risks  Globally 

Gain  a  Security,  Privacy,  Risk  Sr  Leadership  perspective 
on  latest  trends,  challenges,  and  game  changing  solutions 

for  an  increasingly  mobile  workforce. 


INVEST  IN 
YOURSELF! 


-  Earn  up  to  19  CPE  Credits 

-  Build  a  Network  of  the  Most  Dynamic  Women  in  Our  Industry 

-  Take  Home  Tools,  Best  Practices  &  Solutions  to  Achieve  Success 


Panels  Include: 

•  The  Impact  of  Social  Media...  Social  media  technologies  are  driving 

a  digital  revolution.  Learn  how  to  leverage  the  tools  themselves  and  explore  the  risks 
they  pose— identity  theft,  data  leakage,  privacy  considerations,  brand  management, 
appropriate  use.  Discuss  the  potential  controls,  boundaries  and  policies. 

•  Establishing  a  Healthy  Data  Relationship...  Big  Data,  the  ubiquity 
of  the  Cloud  and  mobile  devices,  combined  with  the  blurring  of  our  work  and  personal 
lives,  means  that  data  is  coming  together  in  a  myriad  of  ways.  Discuss  data  comingling, 
the  business  problems  and  risks  associated  with  it. 

•  Anatomy  of  an  Attack:  A  Survival  Workshop...  Be  a  part  of  the 
experience  as  we  walk  through  some  examples  in  recent  history  of  major  security 
and  privacy  compromises  from  the  technical  aspects  to  regulatory  elements  to  the 
PR  management  of  the  events. 

•  BYOD  -  Balancing  Access  with  Security...  Learn  how  companies 
are  safely  extending  corporate  access  and  data  through  mobile  devices.  Explore 
the  complexities  of  managing  and  mitigating  the  risks  of  smart  phones,  tablets  and 
other  devices. 


WOMEN  OF 
INFLUENCE  AWARDS 

Nominate  your  peers,  clients  and 

CUSTOMERS  FOR  THE  WOMEN  OF 

Influence  Awards.  Co-presented  by 
CSO  Magazine  and  Alta  Associates, 

THE  AWARDS  HONOR  FOUR  WOMEN 
FOR  THEIR  ACCOMPLISHMENTS  AND 
LEADERSHIP  ROLES  IN  THE  FIELDS  OF 
SECURITY,  RISK  MANAGEMENT  AND  PRIVACY. 

Winners  will  be  announced  at  a 
ceremony  during  the  EWF  event. 

FOR  NOMINATION  FORM  GO  TO: 
www.ewf-usa.com 

Nominations  Must  be 
submitted  by  August  31, 2012 


FORUM  HOST 
&  AWARDS 
CO-PRESENTER 


MEDIA  SPONSOR 
&  AWARDS 
CO-PRESENTER 


DIAMOND  SPONSORS 

•  • 


Information  Networking  Innuutc 

Carnegie  Mellon 


Microsoft 

3  Symantec. 


For  more  information  on  the  EWF  or  to  register,  please  visit:  www.ewf-usa.com 


1*=3- 

lex 


|o 


JERRY  WEINTRAU8  .4V 

****★★ w 

ERIC  C 

**★★*•* 

IRQOMf  COUNTY  V> 


18 


fbeef 

presei 

AEROS 

BROOM  C 

FEBRUAR 

TUESOA' 


p«oboctys  |*uk 

^  a 

®102  -  WGOCT 

present 

Bachman 

Turner 

Overdrive 

^urv,  Nov  12,  m7 

9 -30  p.m. 

Peabody's  Pub 
Court  St. 
Binghamton 


Will  ROGERS  COLISEUM 

rOHT  WOHTH.  TEXAS 

MAY 

Q 

SATURDAY  8  00  P  M. 

gg 

CSI- 

tin  * vo  coNemi  *(ST 

PXSINTS  / 

"JIMI  HENDRIX'7 

J 

19  7  0 

EAST  BOX 
ADM.  s6.0' 

NO  REFUNr 

m  cy  ''C'P  •. 

W&M 


ODEON  THEATRE 

_ _ (The  Headrow)  LEEDS _ 


s4 

°o 


AUDITORIUM  ? 

xas  f »_ * 

|  H  8  00  P  U.  Zd  ' 

RO  TULL  i^§ 


$3  CHAIR  : 

S5.00  f 

Vitrrii-inc 


■M  ► 

*<->  1 

OJ 

0  - 

"  Cb 

3* 

Si 

gCb 

J>  » 

*£T> 

on  0 

F"  5 

°i 

5bO 

-1  reruns  pf««#nt* 

<nmr:T((t  ROUIHG  stones 

I - — - 

o=J 


JUNE 

UTBU1Y  8:80  f.U.  1 

24 

ADMIT  OF4E  j 

WEST  ARENA' 

$6.50 

19  7  2 

K«  P»lunS  ■  N*  CftUn  ' 

t-'flHHIiK  UUMt  5 

SCHLIT?  PRESENTS  |  ’MM. 

THE  HHO 

NO  REFUNDS/EXCH.  i'p 

2356633  IBA48I0  I3  0  3  A2U6 
7  :  0  0  P  FRI  DEC  10  1962  S’  I  5  , 


ODEON  THEATRE 

(The  Headrow)  Leeds 


uOfvCt-t .  fly  ticSI 
*■< T 


-rr, 

M  c  P  A^T0N  CONCERTS 
¥CP  JCA  4  WAAL  If 
PRESENT 

talking 
heads 


AA  8 


TO  BE  GIVEN  Ur 


STAGE  SHOW 

1st  Performance  6-0  p.m. 
SATURDAY  A 
OCTOBER  %J 

FRONT  STALLS  12/6 

AA  7 


No  ticket  exchanged  nor  money  refunded 
THIS  PORTION  TO  BE  RETAINED 


ODEON  THEATRE 

_ _ (The  Headrow)  LEEDS _ 

STAGE 

2nd  Performan 
SATURD, 

OQtoBE 

FRONT  S 


No  ticket  exchanged  nof  money  refunded 
THIS  PORTION  TO  BE  RETAINED 


DCR0814  302  L  31  A  69.50  EDCR08I4 

69.50  INC  FAC+PPK  FEES+FCSUR6 . 00 

PRODUCED  BV  LIUE  NATION  ?  CN  28304  ! 

DEPECHE  MODE  |  302 

HUU.DEPECHEMODE.COM  102OLL  'f==l 

CRICKET  WIRELESS  AMPH*CU  j  L 

2050  ENTERTAINMENT  CIRCLE 

FRI  AUG  14  2009  8:( 


13.70 

302 

CA  52X 

L  31 

0LL1845 

A11JUL9 


KYA  1260 

WELCOMES 

THE  BEATLES 

ft  ft  ft 

r-  ,  -  •  -  r . v  ,  *- 

W  ✓  vV  -  >r 

AT  CANDLESTICK  PARK  -  SAN  FRANCISCO 
MONDAY  AUGUST  29,  1966  -  8:00  P  M. 

LOWE*  STAND  ADMISSION  S4.50  •  »  refunds 


04 

h. 


CD 

04 


Enter  MAIN  ENTRANCE 

<*”*  neUc.  M  kWN  Wi) 

•CCT10N 

11 


E0b21E 

ACADEMY  OF  MUSIC 

Mr30S€9. 

r.  c.  t.  present; 

rtCDMEf 

STANLEY  LARRY 

CLARKE  CARLTON 

S€C^  „  ~ 

d  t-  0  C 

BILLY  CGBHfiM  -  NflJEE 

1  !  1 
v 

SUN.  JUNE  21.1AA3  GleBPf7 

ACWYBOK 

PARQUET  CIRCLE  PIC 

B  U  HL  $  35.00 

SEAT  | 

sec  B0W/B09C  SEAT  PRICE 

PC&MBfi 

'  hCB 


Music 

ft.  C .  Tl  '  PRESENT 3:  * 

Stanley  :  Lfl^V.y 

CLRRKE  CRKLTQfi,  -  - 

BILLV  COBHflttf’-  /  NfiOEH 

_ _ 2  '  L.y. 


NICKS  PRO  SPORTS 
CHAMPIONSHIP 
PARTY  ' 

COAV 

ium 

§B0 

j" 

spcbis 

>N) 

ElBIHXVr 

0  v 

NICK  IS 

6 

1  8 

SEAT 

jtlM'QN  STADIUM 

PARTY  ADMISSION 
TICKET 

NICK'S 

CHAHPIO 

PROSPOHTS 
NS8IP  PARTY 

SUN. 

NOV. 

20th 

2010 

MKTOH  STADIUM 
1332  iUlBCB  fflRra 
M6MUKD  YILLWf.  IX 

3AH-&38PI 

iSTMtumaon 

H 

U  P  Fl* 'fttANB^  ANoi^V^ 


Utuo,  1‘ROVIDfD  lour  Dml  4  bill 
(nntofls  arc  not  (ilojid. 

50  CENT  ADMISSION 
-•I  l  «<t 


|i!l 

?“  =  ioS 


/3"' 


tLIYELRNBft  INDIJIKS 


tV/NMAMN  Lf*agut  7'J.  lAafatM*/  U+a<p*4* 
CLKVKLAND  MUNICIPAL ;  STADIUM 

Lower  Reserve HIT*. >  ti^u.  i»>SS.25 


RainChecU 

in  ntinu  ctirtiiiim 


M 

kITAIN  THIS  CHICK  tUTtli 


»  M 
co "  ss 
CO  -3 
m 

_»?  60 

s 

-I 
-  tn 
IV3  i  „ 


00  CURTIS  HIXON  HALL  | 

S  TAMPA,  FLORIDA 


ER  GABRIEL 


JULY 

Sat.  Evo.  at  8:00  5 

Eit.Pr.  5.38  total  f 

J  fl 

5f.T«  .22  $5.50  5 

1  u 

1971 

NO  IWUNOI 

BLACK  | 
SABBATH  | 

53S2 

1*2 

b£S 

III 


sit 

-H 


1971 


CO 


Ns  000277 


35  F 


PUjumeet  *.  Tw.hr*  * 


Elat.  *A  •CCC'd  ■ 


C\1  i 


CARNEGIE  MUSIC  HALL 

Oaklnnd.  Plttsbursh.  Pa. 

“THE  A 

AN  FREED  SHOW 

APR. 

22 

I960 

FRI.  EVE.  10:30  P.  M. 

SECOND  DALCONY 
r»i.ril«si.,75« <rn  nn 
Ci?T»T,'ll7Sl  $2.00 

NO  REFUND 

no 

no 

I860 


jrv3 


SEC. 

O 

ROW 

23 

SEAT 

12 


BASKET 


RVEO  SEAT 

ilion 


EilobFIaiitd  Prh 

air  To*  .00  —  TOTAL  $ 


FRAUD 


That’s 

i l  a  T icket 

Whenever  a  list  of  logon  credentials 
is  dumped  on  the  Web,  retailers  get 
hit  with  waves  of  automated  attacks. 

Here’s  how  ticket  marketplace  StubHub 
fights  that  threat.  By  George  V.  Hulme 


ROBERT  CAPPS  KNOWS  a  lot  about  fraud  and  trans¬ 
action-level  risk.  As  senior  manager  of  trust  and 
safety  at  StubHub,  Capps  has  witnessed  just  about 
every  trick  that  can  be  used  to  try  to  hide  a  fraudulent 
transaction. 

Since  2000,  StubHub  has  provided  a  market¬ 
place  for  event-goers  to  buy  and  sell  tickets  to  sports 
games,  concerts  and  theater  shows.  In  its  role  as  a 
marketplace,  StubHub  sits  in  the  middle  of  the  trans¬ 
action,  which  makes  it  different  from  many  merchants,  explains  Capps.  “One 
of  the  keys  to  our  marketplace  being  unique  is  that  we  manage  the  acceptance 
and  distribution  of  all  the  payments  for  all  of  the  transactions,”  he  says. 

That  unique  role,  however,  makes  this  marketplace  all  the  more  motivated 
to  catch  fraudsters.  And  motivated  Capps  is.  The  risks  his  company  faces  are 
many.  Buyers  can  cause  StubHub  problems  by  buying  tickets  with  stolen  credit 
cards,  by  deciding— after  the  event— to  dispute  the  charge  (buyer’s  remorse), 
or  by  claiming  that  the  credit  card  used  for  the  purchase  was  used  without  the 
cardholder’s  permission. 

“On  the  seller  side,  generally,  it’s  an  exception  process,  such  as  if  the  seller 
fails  to  deliver  the  tickets  that  they  promised.  In  that  case,  we  step  in  and  make 
sure  the  customer  gets  tickets.  Also,  if  they  provide  tickets  that  were  invalid  for 


Illustration  by  Michelle  Thompson 


June  2012  www.csoonline.com  27 


FRAUD 


some  reason,  it’s  our  job  to  fix  that  transac¬ 
tion,”  Capps  says. 

“Being  in  the  middle  of  this  marketplace 
and  being  responsible  for  all  the  edges  of  the 
transactions  means  that  we  have  to  be  really 
creative  about  how  we  address  the  different 
risks,”  he  says. 

Many  of  the  fraudulent  transaction 
types— stolen  credit  card,  buyer’s  remorse 
and  unauthorized  transactions  on  a  legiti¬ 
mate  card— can  be  mitigated  by  running 
sales  through  a  risk- scoring  engine  and  uti¬ 
lizing  fraud  models  to  predict  the  outcome, 
Capps  explains. 

However,  fraud,  like  any  type  of  crime, 
is  constantly  evolving.  When  one  facet 
of  fraud  is  under  control,  attacks  surface 
elsewhere.  “We  found  there  were  fraud¬ 
sters  who  had  figured  out  that  they  could 
validate  credit  cards  through  our  platform. 
They  were  registering  for  a  new  account, 
and  then  they  would  post  a  credit  card  to 
it.  Then  we  would,  just  like  any  merchant 
would,  authorize  the  credit  card  to  make 
sure  that  it  was  good  before  we  allowed  the 
customer  to  store  it,”  Capps  says. 

“The  message  that  we  sent  back  in  these 
cases— that  the  credit  card  was  accepted 
or  declined— is  a  very  helpful  message  to 
tell  someone  who  is  trying  to  cleanse  a  sto¬ 
len  credit  card  list,”  he  says.  “We  realized 
from  this  that  there’s  this  entire  other  level 
of  fraud  that  happens  in  the  e-commerce 
ecosystem,  specifically  around  utilization 
of  expected  business  logic.  Through  this 
attack,  any  merchant  could  effectively  be 
material  support  for  a  fraud  scheme,  effec¬ 
tively  validating  cards  just  by  issuing  busi¬ 
ness  logic  to  the  public  that  was  intended  to 
help  provide  a  good  customer  experience.” 

The  number  of  these  types  of  attacks 
typically  soars  after  a  list  of  usernames  and 
passwords  are  released  to  the  Web— which 
has  become  commonplace  in  the  past  few 
years.  Once  the  list  hit,  Capps  found  that 
those  lists  would  be  run  against  StubHub’s 
logon  page  as  attackers  feverishly  looked 
for  combinations  that  worked. 

However,  he  says,  these  attacks  proved 
difficult  for  StubHub  to  identify.  “We 
wouldn’t  see  it  through  our  monitoring  tech¬ 
nologies  because  most  vendors  weren’t  look¬ 
ing  for  actual  application  responses.  They 
were  looking  for  error  conditions  within  the 
responses.  They’re  looking  for  500  errors, 
not  200  successes,”  explains  Capps. 


StubHub  had  to  look  for  such  fraudu¬ 
lent  transactions  in  a  different  way:  Rather 
than  seeking  bad  transactions— things  like 
failed  log-on  attempts— they  started  look¬ 
ing  for  ways  to  catch  an  increase  in  the  fre¬ 
quency  of  good  transactions. 

“We  went  through  considerable  effort 
to  understand  how  we  could  monitor  for 
and  solve  this  problem,  but  we  found  it 
very  expensive  to  be  able  to  do  this  in  our 
own  application  code.  That  turns  out  to  be 
a  common  theme  when  you  start  talking 
about  applications  defending  against  legit¬ 
imate  uses  by  illegitimate  actors,”  he  says. 

“These  scripted  attacks  blend  into  the 
noise  for  very  large-volume  sites  if  you  are 
not  looking  at  the  individual  volumes  of 
transactions  coming  from  given  Internet 
addresses,”  Capps  says.  “And  with  the  bot¬ 
nets  out  there  today,  these  attacks  can  be 
distributed  across  hundreds  of  thousands 
of  hosts,  and  you  don’t  have  more  than  10  or 
20  attempts  coming  from  any  given  Internet 
address.” 

DEFENSE  STRATEGY 

To  get  a  handle  on  these  scripted  attacks, 
StubHub  turned  to  Silver  Tail  Systems, 
which  dubs  itself  as  a  provider  of  web  ses¬ 
sion  intelligence  tools.  Silver  Tail’s  Profile 
Analyzer,  released  last  month,  provides 
real-time  analysis  of  both  individual  user 
and  crowd  behavior  on  websites  to  help 
identify  malicious  activity  online. 

The  tool  analyzes  Web  session  behav¬ 
ior  by  modeling  individual  user  behaviors 
against  their  past  usage  history  on  the 
website  to  try  to  determine  if  their  activity 
is  legitimate  or  not.  The  analysis  also  com¬ 
bines  a  baseline  reflecting  all  of  a  website’s 
user  base,  which  Silver  Tail  says  increases 
accuracy. 

“We  found  very  quickly  that  these 
scripted  attacks  stuck  out  like  a  sore  thumb 
when  examined  with  Silver  Tail.  And  we 
were  able  to  identify  that  these  attacks  were 
happening  very  quickly  after  they  started, 
based  upon  the  fact  that  our  normal  cus¬ 
tomers  didn’t  hit  the  log-in  page  with  10  dif¬ 
ferent  log-ins  from  an  IP  address  within  a 
public  cloud,  then  switch  IP  addresses  and 
do  10  more,  and  switch  IP  addresses  and 
then  repeat,”  he  says. 

Identifying  such  attacks  is  one  thing. 
Stopping  the  attackers  from  doing  damage 
is  another.  To  do  that,  Capps  says  they’re 


“There’s  an  entire 
other  level  of 
fraud  that 
happens  in  the 
e-commerce 
ecosystem, 
specifically  around 
utilization  of  expected 
business  logic.” 

-ROBERT  CAPPS,  SENIOR 

MANAGER  OF  TRUST  AND 
SAFETY,  STUBHUB 

feeding  the  attackers  poisoned  responses. 
“When  we  identify  someone  that’s  coming 
to  the  site  with  a  list  of  compromised  cre¬ 
dentials,  the  intention  is  to  randomize  the 
response  to  them.  Good  is  bad,  bad  is  good, 
sometimes  good  is  good,  and  sometimes 
bad  is  bad.  The  idea  is  to  give  them  enough 
bad  data  that  they  question  the  data  they’re 
getting  from  us,”  he  says. 

To  protect  their  customers  whose  cre¬ 
dentials  appeared  on  those  lists,  StubHub 
initiates  a  forced  password  reset  on  those 
accounts  so  that  they  must  change  their 
logon  credentials  when  they  next  attempt 
to  access  their  accounts. 

Capps  isn’t  sitting  on  his  success.  He 
wants  to  be  more  precise  in  vetting  poten¬ 
tially  fraudulent  transactions.  Mostly,  cus¬ 
tomers  who  come  to  the  marketplace  to  buy 
or  sell  a  ticket  interact  with  the  site  in  a  typi¬ 
cal  way.  “They’ll  read  reviews,  do  searches, 
make  a  selection  and  log  on.  If  they  hop 
right  to  the  end,  right  before  log-in,  and 
don’t  go  through  any  of  the  normal  routine, 
that’s  questionable  activity,”  he  explains. 

“I  don’t  know  of  any  merchants  that 
have  the  ability  to  evaluate  for  potentially 
fraudulent  transactions  by  looking  at  how 
the  transaction  progressed  leading  up  to 
the  checkout  page.  That’s  our  next  step,  and 
something  we’re  looking  forward  to  using 
Profile  Analyzer  for,”  Capps  says.  “The 
people  committing  fraud  don’t  stop,  and 
neither  can  we.”  ■ 


Freelance  writer  George  V.  Hu/me  is  a  frequent 
contributor  to  CSO.  Send  feedback  to  Editor 
Derek  Slater  at  dslater@cxo.com. 


28  www.csoonline.com  June  2012 


Proven  IT  Leadership  Development 
Designed  and  Led  by  Future-State  CIOs 

»  Chart  your  own  path  based  on  career  aspirations  and  goals 
»  Identify  opportunities  across  known  IT  competencies 
»  Learn  from  high-profile,  experienced  CIO  mentors 
»  Tailor  participation  within  three  areas  of  professional  development 
»  Utilize  Boston  University  and  Harvard  Business  Publishing  courseware 


Pathways:  Start  Your  Journey  Today 


Visit:  council.cio.com/pathways 
Call:  +1  508.766.5696 
Email:  cec_info@cio.com 

Powered  by 


CIO  Executive  Council 

Leaders  Shaping  the  Future  of  Business 


THE 

FUTURE-* 
STATE  CtO 


[  INDUSTRY  VIEW] 

By  Richard  Power 


Protecting  Data  in  a 
Hyperconnected  World 

Richard  Power  talks  to  Christopher  Burgess  about  the  theft  of  trade 
secrets,  the  rise  of  social  media,  and  the  failure  of  weak  governance 


This  is  the  second  in  a  series  of 
interviews  with  C-level  execu¬ 
tives  who  are  responsible  for 
cybersecurity  and  privacy 
in  business  and  government, 
and  who  also  happen  to  be  thought  lead¬ 
ers.  (In  case  you  haven’t  noticed,  “C-level 
executive”  and  “thought  leader”  are  not 
synonymous.) 

For  this  issue,  I  spoke  with  Christo¬ 
pher  Burgess,  COO  and  CSO  at  Atigeo, 
about  a  range  of  topics,  such  as  intellectual 
property  (IP)  theft,  economic  espionage, 
the  rise  of  social  media,  and  the  challenges 
of  governance.  Before  moving  to  Atigeo, 
Burgess  was  senior  security  adviser  to 
Cisco’s  CSO.  Before  that,  Burgess  served 
for  30  years  as  a  senior  national  security 
executive  for  the  U.S.  government,  living 
and  working  in  strategic  regions  through¬ 
out  the  world. 

Oh,  yes,  and  in  2008,  Burgess  and  I 
co-authored  Secrets  Stolen,  Fortunes  Lost: 
Preventing  Intellectual  Property  Theft  and 
Economic  Espionage  in  the  21st  Century. 

Richard  Power:  It  has  been  four  years 
since  the  publication  of  Secrets  Stolen, 
Fortunes  Lost.  Give  us  your  perspective 
on  where  we  are  in  terms  of  corporations 
and  security  professionals  coming  to  grips 
with  the  threat  of  economic  espionage  and 
IP  theft.  Mine  are  mostly  unprintable  at 
this  point.  Any  progress  in  general? 

Christopher  Burgess:  My  30,000-foot 
perspective  has  not  changed  since  we 
wrote  our  book.  Every  company,  regard¬ 
less  of  locale,  has  the  potential  to  fall  into 
the  sights  of  an  entity  or  individual  who 
has  designs  on  their  assets.  The  company 
can  choose  to  educate  or  not  educate  their 
workforce  to  this  reality. 


Sadly,  I  continue  to  see  far  too  many 
companies  operating  as  if  they  are  immune 
to  falling  into  the  crosshairs  of  someone’s 
targeting  scheme  because  they  aren’t 
engaged  in  national  security  work— they 
think  economic  espionage  and  IP  theft  only 
happen  to  those  in  the  national  security 
vertical.  While  I  don’t  disagree  that  the 
nation-state  vector  is  one  to  which  we,  col- 


Christopher  Burgess 

lectively,  must  pay  attention,  the  individual, 
the  competitor  and  the  criminal  vectors 
also  warrant  every  company’s  attention. 

Likewise,  far  too  many  companies  are 
not  making  their  whole  workforce  secu¬ 
rity-  and  threat-aware.  They  are— whether 
they  intend  to  or  not— selecting  who  they 
think  will  be  targeted  by  an  adversary 
based  on  the  assumption  that  certain 
employees’  work  wouldn’t  be  of  interest. 

Has  there  been  any  increase  in  the  level  of 
awareness  in  the  past  few  years? 

I’d  like  to  say  yes,  but  as  I  just  said, 


attempting  to  select  out  for  training  only 
those  who  you  believe  are  in  positions  of 
interest  to  an  adversary  is  fallacy.  That  is 
not  to  say  that  those  in  highly  sensitive 
positions— that  is,  with  daily  access  to  a 
company’s  financials  or  critical  IP  (think: 
the  Coca-Cola  recipe)— should  not  be 
afforded  additional  training  and  undergo 
more  stringent  security  reviews  on  a  peri¬ 
odic  schedule.  They  absolutely  should. 

Sadly,  we  have  been  repeatedly  shown 
that  safety,  security  and  cybersecurity 
training  are  not  being  provided  in  a 
robust  and  uniform  manner.  Let’s  take 
for  example  the  findings  of  a  survey  of  the 
financial  industry  that  Pricewaterhouse- 
Coopers  conducted  a  few  months  back.  It’s 
titled  “Cybercrime:  Protecting  Against  the 
Growing  Threat,  Global  Economic  Crime 
Survey.” 

This  global  survey  showed  that  two 
in  five  workers— about  40  percent— had 
not  received  any  cybersecurity  training, 
and  that  companies  with  the  best  security 
posture  were  those  that  have  the  CEO 
invested  and  leading,  and  use  top-down 
training  (that  is,  the  CEO  is  included). 

There  is  still  much  work  to  do  in  this 
arena. 

Any  shift  in  emphasis  that  would  imply 
potential  targets  are  taking  this  particular 
threat  more  seriously? 

Clearly  those  in  the  security  industry 
have  seen  members  of  their  industry  take 
a  few  body  blows  as  their  source  code 
or  other  crown  jewels  go  missing.  The 
security  industry  always  knew  (or  should 
have  known)  that  they  were  the  prime 
targets;  now  they  have  validation  that  the 
size  of  the  bull’s-eye  they  are  wearing  is 
substantial. 


30  www.csoonline.com  June  2012 


Those  companies  engaged  in  the 
national  infrastructure  have  also  received 
a  wake-up  call,  and  now  you  see  and  read 
more  about  how  SCADA  [supervisory 
control  and  data  acquisition]  systems  are 
being  targeted  and  exploited.  Regard¬ 
less  of  industry,  I’ll  stand  by  my  prior 
statement:  “Are  your  employees  potential 
targets.  Your  company  is  a  potential  target. 
Size  does  not  matter.” 

And  has  there  been  any  wider  acceptance 
of  our  premise  that  to  mitigate  this  threat, 
the  overall  approach  to  security  from 
cyber  to  physical  (and  back  again)  has  to 
be  holistic? 

I  was  discussing  this  point  with  some 
attendees  at  the  New  Digital  Economics 
conference  in  San  Francisco  last  year.  The 
adversary  has  all  the  time  they  require  to 
scope  their  problem  set,  do  their  analysis, 
put  together  their  attack  plan  and  then 
execute.  You  as  the  target  have  to  be  ready 
all  the  time,  even  when  it’s  inconvenient. 
The  adversary  is  waiting  for  you  to  allow 
convenience  to  trump  security,  and  then 
they  take  advantage  of  the  window  of 
opportunity  you’re  giving  them. 

I  also  note  that  companies  are  buried  in 
their  data.  They  have  structured  data  and 
unstructured  data,  and  they  are  trying  to 


make  sense  of  it  all.  And  frankly,  they  are 
often  simply  overwhelmed.  Their  inability 
to  maximize  the  “big  data”  sitting  under 
their  roof,  I  believe,  is  to  a  potential  adver¬ 
sary’s  advantage. 

Social  media  has  evolved  at  a  mind- 
boggling  pace,  and  it  has  already  had  a 
profound  impact  on  politics,  geopolitics, 
culture,  media,  and  so  on.  And  this  pro¬ 
found  impact  is  on  a  global  scale.  For  me, 
Facebook  and  Twitter  are  proven  to  be  fas¬ 
cinating  laboratories.  With  social  media, 
the  personal  and  the  professional  are 
increasingly  entwined,  and  this  entwining 
has  presented  us  ail  with  unprecedented 


challenges  and  opportunities,  personally 
and  professionally.  I  know  you  have  taken 
a  deep,  long  look  at  this  subject.  What 
are  the  essential  elements  of  a  practical, 
effective  social  media  policy  for  major 
corporations? 

I’ll  stick  to  three  key  ingredients: 

1.  All  inclusive:  100  percent  of  the 
workforce  needs  to  be  aware. 

2.  Logical  guidelines:  Know  why  these 
guidelines  exist— to  protect  the  employee, 
employer,  partners  and  customers. 

3.  Staying  dynamic:  Guidelines  are 
not  one-and-done.  They  are  living  docu¬ 
ments  that  need  to  be  updated  on  a  regular 
schedule. 

What  do  you  look  for  in  such  programs? 

I  want  to  know  whether  or  not  the 
program  has  expunged  “no,”  and  replaced 
it  with  “how,”  accompanied  by  a  “why.” 
Rarely  do  we  see  employees  willingly  com¬ 
promise  their  company.  But  sometimes 
they  do  it  by  accident  because  they  didn’t 
know  why  certain  information  should 
not  have  been  accessed  during  a  period  of 
embargo,  or  they  are  told  that  they  can’t 
use  any  social  networks  but  aren’t  told 
the  why  behind  the  request,  and  in  their 
attempt  to  get  their  tasks  completed,  they 
find  a  workaround. 


is  there  anything  else  you  would  like  to  say 
about  the  security,  privacy  and  risk  issues 
that  have  cropped  up  thanks  to  the  rise  of 
social  media? 

Social  media  has  given  a  lift  to  the  com¬ 
petitive  intelligence  industry,  like  sliced 
bread  did  to  bakeries.  I  continue  to  be 
amazed  at  the  willingness  of  individuals  to 
over-share  about  their  personal  lives,  their 
professional  lives  and  their  companies. 

You  had  a  long  and  distinguished  career  in 
national  security,  working  for  the  CIA  for 
30  years,  and  after  that  you  spent  several 
years  working  on  global  security  issues  at 
the  highest  levels  of  an  industry-shaping 


corporation,  a  giant  of  the  IT  sector,  work¬ 
ing  both  internally  and  with  that  corpora¬ 
tion’s  partners. 

So  I  would  like  to  hear  your  perspective 
on  where  governance  is  in  regard  to  cyber¬ 
security,  privacy  and  risk  in  the  private 
sector.  As  with  the  first  question,  at  this 
point,  my  views  are  unprintable,  except 
that  l  will  say  that  the  concept  of  ROl  for 
cybersecurity  is  wrongheaded  and  mind¬ 
killing,  and  that  l  doubt  any  true  evolution 
toward  holistic  cybersecurity  is  possible 
in  a  business  environment  in  which  the 
only  criteria  for  executive  decisions  is  the 
next  quarterly  profit  and  loss  statement. 
Perhaps  you  can  offer  something  more 
positive? 

You  have  me  chuckling.  Top-down 
implementation  of  security  protocol  in 
every  company  has  become  table  stakes.  If 
a  company’s  leadership  isn’t  interested  in 
baking  security,  privacy  and  risk  factors 
into  all  their  efforts,  then  frankly  I  believe 
they  are  limiting  their  ability  to  compete  in 
today’s  society.  They’re  going  to  find  that 
those  of  their  competitors  who  do  bake 
security  in  will  use  this  differentiation  to 
their  advantage. 

Let’s  look  at  privacy.  The  aforemen¬ 
tioned  is  truly  applicable  if  they  are  in 
an  industry  where  they  are  dealing  with 
individuals’  personal  data— they  need  to 
move  away  from  the  mind-set  that  the  data 
is  theirs.  It’s  about  the  individual’s  data— 
the  individual  needs  the  explicit  ability 
in  easily  understandable  terms  to  make  a 
decision  on  how  and  when  their  personal 
data  may  be  used.  With  respect  to  security, 
there  are  two  facets  I  consider  low-hanging 
fruit  in  tightening  up  one’s  regime:  1)  edu¬ 
cate  your  workforce,  and  2)  update  your 
appliances  and  software  when  the  manu¬ 
facturer  provides  you  patches.  The  former 
raises  the  level  of  awareness  throughout 
the  company,  while  the  latter  closes  down 
known  avenues  of  exploitation. 

Though  we’ve  been  at  this  a  long  time,  I 
continue  to  believe  we’re  at  the  beginning  of 
a  very  long  journey.  During  2011,  the  warn¬ 
ing  bell  was  tolled  many  times,  at  events 
such  as  RSA  and  Symantec,  and  this  has 
served  to  wake  up  the  security  industry.  ■ 


Richard  Power  is  a  distinguished  fellow  at 
Carnegie  Mellon  CyLab.  Send  feedback  to  edi¬ 
tor  Derek  Slater  at  dslater@cxo.com. 


“Your  employees  are  potential  targets. 

Your  company  is  a  potential  target. 

Size  does  not  matter.” 

-CHRISTOPHER  BURGESS,  COO  &  CSO,  ATIGEO 


June  2012  www.csoonline.com  31 


[  debriefing] 


5  Facts:  Fraud 


5% 


estimated  revenue  lost  to  fraud  each  year  at  a  typical  company 

49% 

percentage  of  fraud  victims  who  do  not  recover  any  of  their  losses 

$140,000 

median  loss  in  occupational  fraud  cases 

$573,000 

median  loss  in  fraud  cases  where  perpetrator  is  owner  or  executive-level 

25% 

percentage  of  asset  misappropriation  fraud  that  involves  billing  systems  or  processes 

Source:  2012  Report  to  the  Nations  on  Occupational  Fraud  and  Abuse  (Association  of  Certified  Fraud  Examiners) 


32  www.csoonline.com  June  2012 


Photo  by  iStockphoto 


Ryan  Kalember 

CHIEF  PRODUCT  OFFICER 


Ryan  is  responsible  for 
watchDox's  product 
strategy,  management  and 
marketing.  He  focuses  on 
ensuring  as  many  organiza¬ 
tions  as  possible  can  use 
WatchDox  to  protect  their 
most  sensitive  information. 
With  14  years  of  experience 
in  a  variety  of  roles  in  the 
US  and  EMEA,  Ryan  has  an 
extensive  background  in 
information  security.  Prior 
to  WatchDox,  Ryan  ran  solu¬ 
tions  across  HP's  portfolio 
of  security  products.  Before 
its  acquisition  by  HP,  Ryan 
was  director  of  products  at 
ArcSight.  Previously  with 
Verisign,  Ryan  held  a  variety 
of  positions,  including  EMEA 
regional  manager  and  se¬ 
nior  product  manager. 


FOR  MORE  ON  WATCHDOX: 

Visit  www.watchdox.com 


D  WatchDox 


cso 

Custom  Solutions  Group 


Maintaining  the  Security 
of  Shared  Documents 


A  constant  flow  of  unstructured  information 
is  spilling  over  the  corporate  firewall.  Solu¬ 
tions  that  block  or  safeguard  documents  in 
transit  can’t  protect  content  once  it’s  outside 
the  enterprise.  When  you  share  a  document, 
how  do  you  prevent  the  recipient  from 
printing  or  forwarding  it?  For  insight  into 
these  issues  we  interviewed  Ryan  Kalember, 
chief  product  officer  of  WatchDox,  supplier 
of  a  document-centric  security  platform. 

How  much  is  document  security  impact¬ 
ed  by  mobility  and  consumerization? 

Controls  have  to  be  enforced  everywhere  a 
document  can  travel;  otherwise  there’s  really 
no  control  at  all.  You  can’t  expect  users  to 
constrain  themselves  to  what  you’ve  provid¬ 
ed  them.  So  you  have  two  choices:  you  either 
build  security  into  the  data  itself— meaning 
that  even  if  a  user  accesses  documents  with 
Gmail  or  Dropbox,  the  data  is  protected— or 
offer  your  own  enterprise  version  of  the  pro¬ 
ductivity  tool  the  user  depends  on.  Ideally, 
you  do  both. 

What  are  the  strengths  and/or  weakness¬ 
es  of  different  approaches  to  managing 
document  security? 

One  approach  is  network-based,  where 
you  force  a  tablet  or  smartphone  to  be  on 
a  VPN  and  send  all  its  network  traffic  back 
through  the  corporate  network.  For  a  variety 
of  reasons  that  tends  not  to  work  very  well, 
unless  you  have  a  very  tightly  controlled 
environment. 

Another  approach  that  theoretically  can 
work  is  mobile  application  management, 
where  you  attempt  to  rely  on  an  application 
to  do  the  data  control.  In  that  case  you’re  not 
solving  the  whole  problem,  just  protecting 
the  data  when  it  goes  to  a  mobile  device. 

The  only  sensible  approach  is  to  build 


a  data-centric  security  model  where  the 
controls  are  embedded  in  the  data  itself— the 
controls  travel  with  the  data,  and  they’re 
dynamic;  they  always  phone  home  in  case 
something  changes.  So  if  a  business  relation¬ 
ship  devolves,  if  a  contracting  relationship 
ends,  if  a  device  goes  missing,  if  a  user  gets 
fired  under  acrimonious  circumstances, 
you  can  always  revoke  access  to  that  data  if 
need  be. 

What  complexities  will  an  enterprise  face 
in  adopting  this  approach? 

The  primary  complexities  are  about  un¬ 
derstanding  their  own  workflows.  So  if  it’s  a 
workflow  that  involves  an  M&A  deal,  they 
really  want  to  lock  it  down  so  no  competi¬ 
tors  see  that  information  and  it  doesn’t  leak 
out.  If  it’s  something  less  sensitive,  like  an 
individual’s  use  of  sync  functionality  for 
their  own  file  folders,  the  organization  may 
be  comfortable  with  that  as  long  as  they 
have  the  capability  to  track  for  compliance 
purposes  to  make  sure  sensitive  data  is  not 
leaking  through  that  channel. 

is  this  something  workers  can  embrace, 
or  will  they  perceive  it  as  yet  another 
security  layer  that  slows  them  down? 

The  carrot  is  you  now  have  access  to  your 
documents  in  an  enterprise-approved 
way  from  every  device.  The  stick  is,  obvi¬ 
ously,  the  controls.  In  most  cases,  security 
technology  is  not  really  an  enabler,  but  in 
this  case  it  can  be:  now  you  can  trust  certain 
collaborations,  certain  things  like  sync  that 
you  might  not  have  trusted  before.  We’re 
delivering  technology  that  can  be  centrally 
managed  like  an  enterprise  application  but 
that  delivers  users  the  same  sort  of  experi¬ 
ence  they  would  get  with  a  consumer  tool 
like  Dropbox  or  Box.  ■ 


NETWORK  CISCO. 


YOUR  BUSINESS  NEEDS  TO  BE 
AGILE,  FLEXIBLE  AND  RESILIENT. 
SO  WHY  IS  YOUR  SERVER 
ARCHITECTURE  STATIC, 
COMPLEX  AND  OUTDATED? 


When  we  designed  our  servers,  we  started  fresh.  No  silos,  no  complexity.  The  result 
is  a  server  unlike  any  other  on  the  market.  It’s  the  Cisco  Unified  Computing  System™ 
And  it  transforms  efficiency  and  productivity.  That’s  because  Cisco  UCS  is  based 
on  simplicity,  integration,  speed,  automation  and  ease.  It’s  a  difference  our  customers 


are  noticing:  80%  increase  in  administrator  productivity.  90%  reduction  in  deployment 
times.  40%  improvement  in  application  performance.  30%  lower  infrastructure  costs. 


No  wonder  over  11,000  businesses  have  purchased  Cisco  UCS.  It’s  built  for 
productivity.  Built  for  the  future.  Built  by  the  only  co  “  ’  '  "  ' 

Learn  more  at  cisco.com/servers. 


Cisco  UCS  is  powered  by  the  Intel®  Xeon®  processc 


s 


©2012  Cisco  Systems.  Inc.  All  rights  reserved.  All  third-party  products  belong  to  the  companies 
that  own  them.  Intel,  the  Intel  logo,  Xeon,  and  Xeon  Inside  are  trademarks  or  registered  trademarks 
of  Intel  Corporation  in  the  U.S.  and/or  other  countries. 


